esp@cenet document view 



Page 1 of 2 



METHOD FOR TRANSMITTING PROGRAM TO LIMIT ACCESS TO END USER AND 
METHOD FOR DECODING ENCRYPTED PROGRAM 



Publication number: 

Publication date: 

Inventor; 

Applicant: 

Classification: 
- international: 



- European: 
Application number; 
Priority number(s); 



JP2001036517 
2001-02-09 

BLEICHENBACHER DANIEL; WOOL AVISHAI 
LUCENT TECHNOLOGIES INC 

H04N5/44; G09C1/00; H04L9/08; H04N7/08; 
H04N7/081; H04N7/16; H04N7/167; H04N5/44; 

G09C1/00; H04L9/08; H04N7/08; H04N7/081; 
H04N7/16; H04N7/167; (IPC1-7): H04L9/08; G09C1/00; 
H04N5/44; H04N7/08; H04N7/081; H04N7/16; 

H04N7/167 

H04H60/149; H04N7/16E2; H04N7/167D 
JP200001 35069 20000508 
US1 9990307643 19990507 



Also published as: 

EP1051036 (A2) 
US6735313(B1) 
EP1051036 (A3) 
i^i CA2307157(A1) 



Repos-t d<st<s error here 



Abstract of JP2001 03651 7 

PROBLEM TO BE SOLVED: To provide a 
system to limit access to contents of transmission 
program such as television program. SOLUTION: 
A transmitter or a head end server is used by a 
service provider to transmit encrypted 
programming contents to one or a plurality of 
customers. A program identifier (p) used to 
identify a program is transmitted to the customers 
together with programming contents. Each 
customer uses a set-top terminal or an 
interpretation key to provide a limited access to 
transmission multimedia information as other 
device. The set-top terminal 400 or the like 
receives entitlement information corresponding to 
a package of one or a plurality of programs that 
can normally be received for a period from a 
head end. 
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(B) ^^=5r<hi loc7)^;?.:5'-^-^^;8^l,;^T"/r 

■r ^ .1 1 j; 0 7°D ^- 5 A ^ - u S <r 1 J; D 

Hf[iarn^-^Afisi]^toMj5St-i.f.y bfitci^^'^T. ifi 

[IMiM 3 ] { E ) tulBx y Fi-^f- i D f#/iTn 
i^''^ A io-b ■/ F tcS-s'v luf Ex y F JL— f t;x y ^ -i' 

y^'-fF;l';'<yF1f|g*^^.l|f[fE7°n^-^A=3r-^#|,/i 

ai<3S3iesc7);ffa^, 

±T'iiifi§iii. ^ i: f sif *« 1 mmm. 

[ifi^iS8 3 ai[i^xyb'^-rtc7°Pi5^7A^i*fi 

n ^ A^iJi^cT) f -y F fig ^fim^^ M^') fa 

rS'-^-fcy N >y a rai:^ n%mzmm-h ^ 

•yTt , 

( B ) ffi^^tL7trni?-5i.jo iti^iriarn^^A^ij 

^ ^lulBxy F:i-if l;mfi-rsXT-y ^^^h ^ 
[|f*]S9 3 plBTni5^5A^im±nb'>/ N*>^>55r 



>y i^^Mij*^3affl$ii-s ^ i: ^!^mi:-rsi**JS8ia« 

[ mm. 10] { c ) ftriax y f^-- ft: i o ftf^r 

n^"7 A<7)-b v F tcS-^'v^T ffiaxy F flcxy^ 

m-mii 1 ] miaxy^^ F/^y Fttfga±. i?r 

lExyF^-- 'f't^j; 0#/irn^-'7Ato-fe'y Ft^a-^X 

^_>y ij _ir)-gp£^tf - h s^^mt ^&if 1 oia 
[ mmi 1 2 ] friEx y f^-- f ii . i &i s ^iz-^iuia 

xy^-f F;F^yFffifg*^i^tf|iaTn^'-5A^-Sr#S 

{m.m. 1 3 3 m.ruifyj^mmmmm\tT 

[ftiRii 1 4 ] itriETn^-^Aiisimi. 

immi 5] ^i'-^:< 10iOTn^-^AyN°'y^r_ 
^'tcMJEt- 1) 7°o ^-y A £ mictox y F^-if'tcMl^ 

(A) MIBxy K^-HftJ; 0f#3trni/5Ac7)-fe>y h 

tca^-i^TMiaxy Fx-HffcxyrJ'-f F;W^y FtffR 

^fmt-|>X-f-yTt. 

(B) r^^^yM.'Mm^tir^^'yj^i. mUr 

^X -?x ^ -=3^- fcy N -y y A Mic ^ 0Jff WfcMffl^S i 
b ^zX-yX%fzr^^'y2^^-^m\-^xm^it-t^Xr- 
■yrb. 

( C ) V^it^Ktzr'Q'f^Jxb i: iKmlBrn/5A 
liSiJ^ ^IfiBxy H jL-if tcinm-f '&;<r -/rb^^h 

liiiaxy F-i-f';0iffliB7°P:7'7A<7)iEix--!f'C-$)fl. 
tf. 1ulBxyF'jL-Hf{ifB1i$fL3txy^-f h;MyF 

[if*IIl 6 3 Miarn^'-^AilSimin f^y Fj&^A, 

miBrni/9Ai?SiJ^<7)MJi5-ri.b'>yF€{cMoT. if 

lBrn^-7 AfiSiJ^O n f'-y V^\m^K^fi{zmWs 

-y y^pimco 1 -^tmm^iih^b ^mibtm-m. 
1 siaeto^ffi, 

[»*3ll 7 3 miaxy:5'>f F;I^^y Fttlg^i. ii 
IBxyHi— ffcj; 0#j:irni5^5AcD-fe-y MzXoX 

[ mm. 1 8 3 ffiaxy F^-^f a. i aiis^i/^iuia 
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)i±x'mm^iih^k^'mLki-m^m 5im<Dij 

km y y Atisij^ ^ gfit" I. X X 'y r t . 

§ il/S gUii-:^^ M leTO 7 A ^ - ^ f# I, X T- ■/ 7° i; , 

( D ) m^ru^yj^^-^m^^xmm^^r^^y 
2^mm:fhXTyrk^^^h^kmwikthis 

x'^/ -v{zj\y ^fmL^mm-fh^k^zxmit^^ 
0 -t^±i&$tLi z k mmktitmm 2 1 mm 

^i^mxh^x. 

l'?i7)4]ra^-t:-t-tfxy^-f h;l/^ybfflffg^^frr 

( B ) rn^-yi.^~xn^it^tLfzim-itrxi^"yj^ 
krx:ii/^M.mm^m-i^T-/rk. 

D mlBT n y i. lij?']^ S.t^' mlB^rel^ - ^- 7 'J 
-tOlB'li § tifz^m^ mlB 7° n / 5 ^ - ^ t# I) X f 

( D ) miBTn^' 7A^-^Ml^T plEHf^-ffcTn^-^ 
- r HIMffl ZkmWi ktmsm 2 3 IBifc^O^ 



[if*]l2 5 ] xy Hi— f /^<7)r^'-fex^$iM-r'S 

(A) VX^'-=3r-i;=jyeA-;?i!.^i: I9"rtg3-K 
HB'itS^^U-t. 

(b) :i!'-^<hCj I'ifT^VX:?-^-^®;!^, 

( c ) mMrvii^yj^mi\wui-'jmi,zm-^\>-^xm 

f B V X ^' - ^ - t^^i--^: < 1 1 1 o toy ^ 'y i MS Sr Bffl 
t-|> ; t '9rni5'7A^-^fflv^-CB>ilB7°n^'7A 

( d ) MfB7°ni5^7Ai^iJi't k i>^z\mitrui^yA 
^ MIBxy h'i-if l^iiftts ct 0 mm-th 1km 

[it*ll2 6 ] xy K^-T-tCj^t-S 7^'^:X^i-$lJ 

(A) vXtJ'-^-fciyfayea-^fl^JRO^tga 

-F^IB'lit-|>7^U-t. 
{ B ) Wm^'tV~izm¥±o^j:^^'yfzr^-^y^-k 

BulB7°n-lr>/ If Hi. 

( a ) MIBrni/7Ai^lJi^<7)h'>y hfi«^fL^fL(OA' 

^ U -fi t:S^'V ^ - fcy ^ 'y y ^ Uli S- 151 

mmi^zmmth ^ 1 j; -^Tff^.iii.rn^'- 7 a^-S: 

ffl I ^ T . rn^^-yAmmfi^t^ f S7°n 7 A £ Bf-^f- 
{ b ) mlBxy K:2--4f-t:[ii-t^b$tifciS7°n^-7A 

j;yfrfE7°n^-7Aiisiji^^iiifit-i. X 0 {zmm^ 

Zknmkth>:^T2^. 

(A) vx^'-^-i3j;V3yt°;2.-^'^;^^K0^tg3 
-H&iB'lit-|.7*U-t. 

(B) MIB^^U-fciWioJSrj&Jof^To-fe^ytf-t 
^*t. miiBTP-fe>yHf-{i. 

(a) mtmmi.zXnX'im^Aihru^'yAcn^yVlZ 

a'3X^-'y'J-i^gP3)-^^tfxy:?'-f b;l/;<yb'tf|g 
S:ij7°n/7Acorny^-{ /-5&^ji.Sitt. 

(b) 7-0^5^7 A^-t;j:-pTBf-t'ft§ii/cfiirt'ftrn 

^"7A, ioj;y^7°n^-7AiiSiJ^^SmL. 
( c ) mtiru^'yJ^mW\Tiii.Xfmtt^~''J^)~<mt 

m^fifzmtimm-^^mmruyyj^^-^nx. 
( d ) mi.ru^yj^^~-i:m\-^xmum^\tru^y 
A^jgn-^-i, i 0 hzmm-h z k ^imk^t i^xy- 

A„ 

[itif<il2 8] 3yb°i-^-i!!^KD'STt^3-K¥ 
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(b) ^■'^<Tt-oiO-7;?,:?-^-&^fc. 

( d ) fflETP^-^AliSiJ^ 1 1 1) tBf^^LS^/illT 

fS^^'S^ § ix/c 3 y t A - ^ M^K D ^tgS?#;T-S, o 
Srfl7°n^"'7Afornv^W ^"-*^ji>gfiL. ( b ) 7°n 

( c ) MieTOi/7Aiisij-?*3ci:txMiB^-7U-cDie 

[00 0 1 ] 

tc. tm^fitz:Ly^A V)i-:^yV\mbMz^ ^yV 

^:m^xmw.^titzruyyArMtthy7.TMzm 

[0 0 0 2] 

[«!*t^Kffi] ^v\fi^Bymmmm'^Wj:^^y 

y^«T-*l> o -l^t^tf- fxrnA'^ 
0<7)rOi^'7A7!)><i,^Ti7)7°n7 7A, mi^t73PHlcO|I 
[ 0 0 0 3 ] Hf- b'xrny N'>f rHiil^. r A..y 

r\3^'y^y9'<^-m^mzmnmhi>. mui. iin 



m&mmzav^x . mm^fii>rr3y'y%y^\i.7y'f 

1 i t < J±1SiScOHf^^£-^t^„ -b .y h h >yT^- 
S-^;KSTT) ^HflW ^c^j;a^:6-fti:\ -i:>y 

b h ^y r ^ - 5 -f/wiBf -^-fbMft ^ L , mm^^h 

[ooo4]-fe-ybb ^yrs-S:i-Mztm^tifzmm 
m^^^m<^mm^mmA^i,z^tti>!h>. -b>y n v y 

7°^' - S -:^;^^±M^f^-fe ^ J. 77°n -tr 'y -if-^-tr =^ J. T;^ 
ht0:t-^"-O^-f >^i^T -f S:* LBf-t^-2:le'Sf 
i^i/'x^'yb-cfes, tTt. -b#ar^^u-i±»^a 

^^t^T-J) !> ^ t < . #ilAJW|fflftt3^- ^ y 7°n 

^■■^ A-tli i t *^'T-# I) , tie*t^-b -y h h -y 7°^- 5 ^ 

■c\ ie*i§ti-s^-coic^sijiitTt*v\ ^f-b'xr 

^ji^ f-il^^i±t^ri^y^-i^<7MmmLxLt 

0 . ^|i^^^o^^)lfl|^;^f-h■'X7°^A■-< jf-fjiy-M- 
K^^Xht-|)7°n/7AtOiC{SMm. 2 07?iO^-r 

[0005] ta!*<7)-b .y h b •yr:5'-$-f;W4, -^-b' 

X 7°n A'-^ f-mM^-t I) 7°n ^ ^° -y i^' t 
MJEt-l. b -y hxy b y -^*t-|> b .y b 7 x ^ 

fi#-C$>ii{f . -b «y b b >yr^- 5-^;W::IB1i§fiS b 

-yb<^b;Wcfc(tl.b'y bxyby-ii r i j t-^.y 

b§til>, ^toflt. -9--bX7°n^s-^^--^iMfit-|> 

9A^S(tSi:, -b>y bh>y7-;5'-5-?-/W±. b-yb^ 

9 VMZT^-^XL^ nm-fh^y bxyh y-:0^--fe-y 
Y^fLXV^ht-Koi^^m\m-rh. ^.tb.y bxyby 
-*ib 'y h ^fiX\mi. ^2 'y h h 'y T:?'- 5 -fMi- 

-y<^w^^tltzv^^^^m^^xruy^A^mmth . 
[0006] mm±ii^^^-/'r~'j (A".y ^-i;i±-jK 

tC-Oi07°n^-7AT-«Jt-ri> ) tMt-OfOb'y bx 

y b y -^M*^l> ; 1 J; D b -y b^^ b ;b*itt:T 
m.m^n^^KXV^hk'jl>z^x.hi)K b-y b'v^ b 
\i--:><7mMm\.z^ < <^raify A ^mmt 

iyxTAI,ziii^xmf^mxU^j:\\ tfz. 

yxTA(:fc(ti>r^bx$ij«b'y b-^^ hMzaif 

6:^yhU-iZX-oXmmmz^l^tl. Bf-tW (cryp 
tographic) m^V^, m^X. i UK«*»'b>y b 
hfV^m^ili^. ^T<?)b>y b^ r 1 J tc-fe.y - 

i: ;^)^■■r■■^ titf , m^ii^Xcora ifyMzr 9^X-fh 

:iht^X^XLto , 

[0007] tfz. 7°a^'-7A^#^^>y^-y'tC^St, 
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{C7°n ^'yl.ir-^t'itl (DXhtiiS. ^ corn ^"yM± 

ji^yjr-i;comnzii\^xmmmmixLt a „ 
[0 0 0 8] ;oj;-5^rn^7A^§^Bt^<l:Ljliii 

t^^bizmiXitmimLXi^hil}^. Tl^hVny 

-y 7° 3^ - 5 -f;l^t?)Mll $ tl/t -b ^ A 7;^ ^ U A° >- 
'r^imti'iz^ tfz. yr-J'^'-'\y¥immzmM^ 

mmztmti ; t ^-^mizLxv^^xi\ mm^m 

il0 8/9 1 2 1 86 (1 9 97^1^8^ 1 SHffill) t 

mm^ixx\^h. 

[0009] "^sxm^ey X'fMzhnh^ru'/'y Mi. 
-Ati;o-CBi-f-ft§il|.o ruyyJ^^-^fi^fi 

^tx'h !> . Tp^'-^ A &iisij-ti> To^- 7 Aiisiji^tt. 

•y h h •yr^-S-^;Wi. gftL/trn/^AiiSiJTp 
yJ^^ y ^' -^ffi S ( Tn ^"7 A t ft 

-'ji:-^mi>zL^j:ifi(^m^m^-^:^mm^A~xi. 
yyM.immmi'iimti^^j:^^t^ii>xh^. 

[0 0 10] 

T 1 h L<l±WM(omMizmmt$tifzru^-y 5 y^" 
I^I^^^'Sm § ix I. „ 7°n ^ A tiJ?iJ-ri> V ^ !> 7° 

o^^7 A^ij^ p ji. 7°n^- 7 5 y^yq^hfticMl^ic 

jifiS^I-So #Ii^{4. -b-y bh-yTrS^-S-t/I^^rV-iL 

7i?-feXSr4i-l>ffii^S^Srfii.l.o -fe-yhb-yT^- 

s i'Mmm^^^ umizjEM^z'^mx'^ iihKn 
mmco r p ^- 7 co-^ -^'yir- i^izn&-f u^y^'-f 



>^ y hit fg^^>y Kxy Yt^h^m-fh . 
[00 11] #7°ni/9A{47"ni5'7A^-kp^fflV^ 

jii?)7°0^'7 A^- k p i4^^0rO:/7 - ^ 

J; 0 ^ztl Z t I . Bmit^titzrn:7'yJ^com 
itifZMlX. FxyK-if-ys;{±-fe.y h h ■yr^'-S 
:?-;Wc7°ni/7A^!li^pS:)im-ri.. -tyhh^rf 

- 5 ;W4f £'1$ ^1/^ X y ^ ^ h y b ffifg t ft(;g 
flL/STn^-^AiiSiJ^ p r^^''yJ=.i:mm-t 

i<^AZ'm^j:mm^-mi.. z^^i^mziiv^x . 
m^tim^(r>rv3i^yM.<7)smmmmThmf. -fe>yh 

b'yT^-s-^;w±ia^istigfisti/-c'ifig^fflv^THf 

-^jt§ix/i7°n^"5i.^-kp ^#l>; . ^CO 

f^T-f 07° n ^- 7 - kp ^ffl I ^"C Bf -t^bS ilJt 7°n 

^yJ^m\=Fpii. roi/^Aco-aJK^t^y^-U 

[0012] iI{17°n^-5A£Bi-5|-lL-rs«i:ifflt^ibii 
§k-t'>y b7°0^^7Adf— kpCOm-ftl^i. VX^J' 

-^-mt: 1 i L < ttMAt^MK^ y^-'A^N -y AlMit 
&}ifflt-|> ; 1 i -5 Tff !> Z. k ^^X% I . mk LX. 

^^^2\mz-fh^\'vy:i-fmnim^^hzbifx-% 

Hi^aiSj(±k-f-y h^Ui-U~imfin^ t Hi t LT 

Hitsc^tE^ji'-k ixmm-f^^ z k t^x^ . H 1 irmp^ 
>y i^:Lmmcotiii]<o^^i: Lxmjith ^ t tK-^ 

I. 

[ 0 0 1 3 ] Mt LT. 7°n^-7AiiSiJ^pfO:g-h--y b 

iiLum&t^^^-^i-'j-imz^-^x. vx^-^-t 

t j; -oTTP^'-^ A^-kp Srff I, i fc ^^jifi S „ ^-o 

LTn^-^AiiS'J^ P^^mf'y h^^i^^slCDXh 
tlli. J^^yi^jLmmHoMiHiCO-ljtiiru^^yJ^m 

<7)n<7)h'yh&m^timizMixmm^tii. mmz 

(i . y N 'y y J. MliH 0 S /stt H 1 cri--jiffir'Q 9'yM.m^\ 

~\>zmmKh. ^^'ikx\ aoco ( n- 1 ) t-^y 
T . tff(7)v ^ -y y ^^t:(7)Sll^:v > -y y ^ r^ii h „ s (4 

HiCO-^*iaffl$^ll>» 7°n^'7Adr-kp(7)tf-^(iljt 

[ici] 

[00 14] itOio^c^-yy^OTi, 7U-fO;L'- 
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Hi ^mm-f !> ; 1 j; 0 7 'J Z t t^Tt 

y - K u ^cr>j'<X±cr>H±cr,yK}l'Cr>^^:$) h . 

T (u) {±y-Ku^;^-^tt- 1. -9-7-71;-. mh. 

y - F u an^'v y - (t y - 7 7° n 

u (u 1 ur) \,znLX. -tr/V'J-T (u) 

ttl>fnrtLt07°n7'^AtO^-^ i>y^■y^JI.Mi:Sr ( n- 
[0 0 15] 

I hKimmmim^-yh^-^ l l O^ittX-^'y 
h h 0 0-4 0 1 £W-rS 1 t> L<ii: 

mhXhh, L(7}^y Kxy 0 0i±ll3t 

W3i LTTTllf^ L . -fe 'y b b 'y 77 - 5 -^^71^4 0 0 ii 

ii4t3Pi}iL-cT-ciai&f-i>, ^-v 

;k-?^y T ^ Ttt 1 7 ^ -fe 7 MP! ^ i I. V ^-f ^xioas 
^tf, -t >/ h h ■/ 77 - s -^;^*^■||^Tt-^ y 7 h 7 X r 

(±■9-- t'^rm^''f y-if-f^yu- Y-fh iiCOX'h-y 

XhX^'K ^-y h7-:? 1 1 OliT'J^^H-^r-y-^ 
-fx ( D S STM ) c7) j; d ^r7°n7'7 5 y7'F^§^gSft 
•r'i.i!Ei57'n-F^-v7h;T-y hV-^'. ir-y;^^^ 
tVgy^-yhV-i? (CATV) , &«3^:t-y b"? 
(PSTN) , 3i£^-y by-i?. I SDN. ^ 

[0 0 16] -^•yhh'yT^-S-f;k4 0 0{i^-yFX 

§;&^'iEffl-3-— - Xh I. Tn 7' 7 A tH^grAiT 7 -fe 7-t 

\ili>L< >y ^- i/'tM-r I. z. b t^x^ h „ 



t£^^:i.7m5^t.fz\mi5^r'oYn)V-^m\'^X^'y 
Yx.yV^-X-3 0 0*^4-fe>y h h'yT^-5-^;l'4 
0 0 lcr'»'n- K-ri, i: ^ . 
[0017] 7°o^y^=^-feJ;y7°n^7i.^siJ^. 

i?'^ A^- k p {±7° n^/^ A ^' t (7) J: -r I. i 

MLTti, TiK. B. Schneier, Applied Cryptography (2 
d ed. mDiZtm^tiXV^l. Bf-^-ft7n7'7At^jI 
{il:Jni.T. 'v-/ HxyH-9--yN'-3 0 0«4-fe>y F V -y 

7^'-S-:h;k4 0 Ot^nt'-y h7°n77 AflSiJ^ Sr 4.}S 

-fe y h h -y 7° 5-^-/1-4 0 0 i^zX-^Xm^^tl. TX 
[0018] 7°n7'7A^737°n77AiiSiJ^t^fJ'}E?f 

X t m-thr(^msxmm-t6 xoiz. rn 77 ahj^ij 

V^T. 7°P^7AiiglJi^p«MPEG-2m*(=^§ 

tlfcECM7^-;PKt:T3MftSixl>3 2h--y bffi:?)^/^ 
1tl>it*^'T-|:|., ;7)±|^. LIii:M^Sgt07°n7 
yAtOJES^— tf--^-S)im\ ^^ -y h h •y7°^'-$-:^;^ 

[0019] ^?tmiowtcm'&i,zimi. m^mm 

TP7yAt;fflU^,iX|,kh-'y hi07°n7yA^-kp 

X^l. }i^:MM£^7y7'Ay^-y7^Ma^0iM±, Tl 
U;. 0. Goldreich et al., "How to Construct Random 
Functions, "J. ACM, ^: 792-807 (1986) (;:|5«J$fLT I ^ 

[ 0 0 2 0 ] Mi: LT . em^mz-^i^ j^TXh D , ^ 

H : {0,1} {0,1} 2X 

::C:-C\ k{4TPi5^7AdE— kpC7)*§'C*)|,„ 

yN'y7j.MS[H{ikh--y hTiys'-^ y -ffi^E 0 . 

;i $ 2 k coy ^'-f y -ffi ^ # !> o ^ 7)y ^ -y 7 H 

tH:^7lik f -7 F ^ y -fgo^^ Ho Hi t LT^-Ti 
ii-C. Ho{i:v>>y>'jLMi:H<7)ffi:)3CO£ 

ffliM (ifffllJflff.y b ) T-S) D . H {1} iiy^ -y 
mncOffi^cOMIM (^tiet'-yb) f$)l>. Hot 

[0021] k=16 OX$>tHi., H{4. ^tK. Secure 
Hash Standard, National Institute of Standards an 

d Technology, NIST FIPS PUB 180-1, U. S. Dept. of 
Commerce(April , 1995) tiaaStll> X 0 ^J:%mr\ y y 

:Lwms\iA-i^:mv^xm&-thLbi?x%h. m 



(7) 182 001-36517 (P2001-36517A) 



Ho«iSHA-l (x II 0) t^O. Hi«SHA- 
1 (xjj 1) ttph. ^^X\ Qtl\±^tL^tl^XO 

[0 0 2 2] 7°n^'-^A^-kpii, Tn^'"^jUtiS'J^ 
P -f y — ffit:{^-5 T ^-df-mtc 1 i L < ii: 

T m i;^ ^ .y ji. US: H 0 4 ^: ii H 1 Sr 

ni^f wtcjfffl-r i fc i -5 T^ls i . -m. 

tc. t trn^'-^ j^HSiJi^P *i n f -y Y t^i^mai. 7° 
n^"5AiiSiJi^pi^^jE-ri> f-y bffit:t5e-^TTn^"^ 

Ailj^lJT P £0 n CO f .y h figcO^ixmt-^ ^ «/ ^i5flS^ 

[0 0 2 3] m^\zr\^yiya.mfmf>ttz\micr)-l5i:)^ 
fttffi h" -y b ^ ij -fl t;^ -9 T V X ^ - t;ia 
-t^oMT-. ( n - 1 ) f'y hfiS-e^i 

|>f-y btO^^'-f-fU-ttt^t^oT, frcO^\-yi-jLts#cO 
[Iic2] 

[0 0 24] ±ii<7)j; 3(3. A..y Kxy K-9--A'-3 0 

•y b f -yT^- S -^;k4 0 0 (iSfi7°n^-5i.tO||iIt 
ffl t ^ ^> ii 1. 7° n / 5 ^ - k p ^ # ^ ( tixJf =5: ^> ^ V \ 

yyj^^mi^p immmizmi^xmm<7)-t yhh >y 

-S^;P4 OOlzX-oXni^ti^ifhim^^^W 

[0 0 2 5] _^-'yy- 

-hTlML^cidt. 7°n^'7A^-kpi±. ru^"y 

i L< iiMAcO^^ 'y ^ j.P«A^[M]MWt:fflV^|, ^ 1 J: 
-5 Tf# I. ; t /&^'T- ^ !> o k f 'y b co-?X -df- 

mSrfflV^I., 7°ni?-7i.iiSiJ^-p(7)h'>y hJ±p = 
(Pi P„) tLxmt^ttiK'^^. i^-C. Pi 

[^3] 



[0026] )\^yi/^\m\t. m^^zT^Lfz^-v^)- 
2 0 0 to j; a t£%^t£ n y -7 u -T h t 

T^t"^ t I. „ El 2 \iZ^.\.fz^~V y - 2 0 0 
3f>y b;!)^'^^^rni/7AilSiJ^P^t-r«.llg 

miznmfh. ii2fc^-rj;at3. vx^^-^-m3bS7 

y-2 0 0co;^~h2 1 Ot;BBM§ti-l.o 7°ni/5A^ 
-kp(±y-7y-F2 4 0-2 4 7toj;a^jy-7y 

- H !> . T y - 7 y - K 2 4 3 n 5 A ^ 
-kpfc*t{E-ri,>f yx-y^'XO 1 Ii0j;a^ll2fc^^ 

■f:g-7°o^-7A^-kptMJE-tl.-f VT'y^Xfi. )V 
-V2 1 0;^)^A,y-7y-F2 4 3^iO^-'yy-2 0 
0SraL■rw^^xS:^-f o fijitf. 2 4 3c?)7°n^'^ix 

=3f-kpi±, ;^-b2 1 0;{)>/o£7)txvi; (Ho) . y- 

K2 2 0*»^<7):&X>yi; (Hi) . y-h'2 3 27&»ibcO 

-y ^' ( Hi ) t fl. ^ t -^T^l. ^ t A^T-i 
h„ Ho*^Hl:^)^■||2W^>y>-JL^SS^^S^;}lffl§ 
il I. . 7° a / 5 A df - k p 0 1 1 £ # S ; t *i T- ^ <, 
[0027] faa-oT. y-K24 3<7)J;o>^y-h'uCD 

7^;Ni, ;t/-b2 1 0*^4y- Hu^co^txcox-yi^' 

<;Wi:7°p 7 Aii^iJTp -^«^|> ^ h iS'X:% h . 7 

- H u h i: -f -s. -r T'-y y - ^m-fzub izm-h. 

y- K u (7)-tf y -i::i3(tS y -7 K^IB-f S Tn / 

7A|iM^ptO-fe-/ bSr^-r^cftt) . T (u) ffm^ 
loflh. ^—7']-2 0 0{Ziinhm^r{ZiinhnU 

y-Ku(4. g|5^]Wn:?'-7AilSiJ^^p (ui 

u,) Srf L. ^iiA.t2ji^L. -^-^^y-T (u) 
f t !> V ^ -f tl to 7° n 7 A to df _ ^ If ^-f I, ; t ^i- 1: 
I, „ y - K u tO-+?-7'7 y -t^fctt I) V ^-f tltOTn^"^ A 
(Odf-£iv\.y^^r^|^£ (n-r) mWm^^h^h 
kzii^m-t^^tifiX'^h. flrfte^Kti. 5i•t}]=5^>^■y 
J^^|llitHo4/-c{±HiS:7°n^-7A|iM^pc?) ( 

r ) COfiMtfftOf'y b ^tl^tlffmm^^^-fh i. 0 t-lffl 

i^l.o fi^oT. y-Hut;m^-r-i.rni5''7Adf-kp 
(4. y- K ucsD-tfT^'y ^)-\,ziinh-^Xff^ru^yMz 

[0028] i LMI*H*M7 y^-A|g4lff-r-$)ix 
"/ h-y^/k p (0, 1} n-^ <0, 1} K {4iiM7 y r A 

Mi[T-$>l>o ^ixtoUT(i;:Xi;. O. Goldreich et a 
1., "How toConstruct Random Functions," J. ACM, 3 
3:792-807(1986) matfe§tLTV>4 , 

[0029] xXf-Any^K-^yh. 
H3{4A.-y b'xyKHf-yN'-3 0 0c7)7-^f-'f 

-S:^^7'n-y^HT-$)l>o ^vKxybJi:, fV\£'J 
aV^-yby-y. ^^-7';kilffl^, T^^'y/btiM^f- 
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ttl^t J&^T'^ S , A. .y Hxy KHf-y \'- 3 0 0 l±m 
Ui. IBM Corp, mmtl R S 6 0 0 0-)fws;-(cTll 

^^h t^Ti ^ , A,,y Hxy F-tf-ys- 3 0 0 iciirn 
■fe-y-9--3 1 0fej;t^T-^iE'[iTVSWX3 2 0<7)<J:d 
Ki:mm'tt:<=tU-^mt^. ra-fe>y-9--3 1 0{±m 

-corn^2 .y-tf-fc LTSIgLT i J; < . MMt^iJfl^t- 

E'liTV s'^ X 3 2 0 ^ R O M 1 i L < timt^^^ £ 

laii^-yr. ro-b-yHf-3 1 oj&suDmt, fmt. m 

[00 30] Bt(r)X 0 {z^ T~9tmTf U X320 
-^-m ^ leif ^ -T- ^ 

LXtm^i-fl X 0 iz. f-^tm^rs^ X3 2 0 (i:7°n 
^'^M.T~9K—x 5 0 0 S-^rt"'^ o 7°n^'"^AT-^ 
'<;-X 5 0 0{i7°a^''"^A^SiJ^pi5i;t/#Tn^-7A 

3 2 0i4xy^-f ]-)V:Ay]-m%mtr'Q^7.1 
.fct^roiJ'^i^ffifiro-fex 8 0 0 ^ Wfl> « 
[0031] HKt. xy^^ h/M y bfffgiemrn 

IfMZ. ru^yMzm*)'MXi^tlfzrx:i^yJ:.m^\ 

[00 32] Mfi*°- b 3 3 0(±^-y Kxy K-f-A- 

3oo^^-/hv-^i 1 ot-^^r, mitc^L/c-t 

•y b b 'y r^- 5 -f;^4 0 0 CO J: ^ ^-o^j&Wc^fl^ 

■tti-^'iUz^y KxyKHf-ys-3 0 0 ^ U y^^-f-S., 
[0 0 3 3] 1114 ii. •fe'ybb'y7°:5'-5-^^;1^4 0 0c?) 

>yr^-S^;W4 0 0{±, ^Ji.{f, Tl^tVayfcMje 
-ri. -fe'yhh^yT:?- 5 -^;^(STT) isLTl^-f-S 

Zt-h^X%h.. -fe-y hb-y7°^-S^;t/4 0 0i±, 7°n 
■fe>y-t^-4 1 Oi3i;i;^T-^'ia'li^S4 2 OiOj;^^:;^ 
^U-. j»l^-h4 3 0^1i;t. ll3t3WaUc±<7) 

[00 34] ae t:PI31LTTTl^JBJt-|> i ^ t:, r- 
^iaii^g4 2 0Ji. T-^ia'l^E4 2 0OHr^^T 
gE*{:fB'lit--&ii:*^"C§Sxy:S'>f b/l-^yhT-^ 
'<:.-X6 0 0^^ii.l.. xyrJ'^f ^;^;<y^T-:J"<.- 
x60 0{i;il^*^'xy^-f b;I/;^yhS:t-t-l.7'ni5'"5 
A tc>f^ -t !> 7° n ^ A =^ - k p ^ ff I, /-^ 46 1 ie:^^^^ - 

7y-2oo^siiii-£-i-tfo 'f-nmmw.A2 



Oii^'y^AMSEHotHi (44 0) 

m9\.zm:LxTxwm-h i a i^, T-^'iBM^M4 

2 0{4x:3-Krn-bX9 0 0 5r-i-tf<. -^fc, t:^- 
K7°n-feX 9 0 Oi±, 7°n^'7i^^-kp ^%tfz^\z 

^\t^fifzru'/^j^m^\i-phi. mm § fi/^^x y ^ 

^ h;MyMf|g6 0 0^fflv\ ^■LT7°n^'7ix^M 

[003 5] m5\i^ ^'y Fxy H-if-yS-3 0 Ot^J; 
-3 1 31ff § til>#ra ;^'5i>. P ±t:'lf fgSrlB'li^^ 7°n 
if3A^—irK.~X5 0Q^^LX\^h. ^<^mk\t. 

^"7Aiisij^pttt.t:, M-i(f. Mmrmzmt^fi 

7°n^''7AT-^'-^-X5 0 0ii:U3-F5 0 5 — 

tL^tLm^j:^rv3i/yAI,zmM-^if^tlX^>h , 7 -f - 

5 2 5t;-Crn^-7A::St:J;':.-CiiSiJ§ixS#rn 

^^yj^m^mzntx . rn^'-^i^r-^^-^^s o o 

(i. 7 ^ -;t/F 5 3 0 l^zx^corr^^yi^tm-t^m 
■flJ-^-y^-'Jcom^i^^. 7 5 3 5i>ZXM 

[0036] 116 i±Iil:*ix y^-f h}iy<yh^^-tl 
ru^-yMzMbxrviy'7M.^-h^inicoi,Zim 
t'$>s^->y'J-2 0 o<7)gp:}>$r-^tfxy^-Y hiv^y 
br-^'^-^eoo^^^L-Cv^l,, m^LJtj:^^;, 

T (u) (±y-KuS:;k-bt-rii-9-7"7'J-, 't^j:h 

-h. y- F u foi?-7'y y -t^i^tt i> y-7y-F240 

~ 2 4 7 t^MJtEt" !> 7° P 7' y AUSiJi^ p O-b 'y F £ ^ 
-r, mtf . i>L^3&f;-7y-H 2 4 0-2 4 31: 

MJE-tl> 4 oiorn^- 7 A^gfi-ri> i t fcMLTxy 

^-f F^L-y yf^*-ri>i^:.H\ xy^-< F/Fyybtt 
#i±. y-F2 2ot;m^ti.4'm-*^^.^i.iht 

(440) {±i£:^StJS tT. y - H 2 2 0 C0^7'y V ~ 
t:*3(tl.*y-F2 3 0, 2 3 2, 2 4 0-2 4 3t;*t 
LT rnyy A^- k p /^*t:ffl V ^1. ^ t i}^X^ 
I. 

[0037] mex-^LtiJiy^^ h;w^yhT-^< 

-y6 0 0{i, y-7y-F24 0 — 24 3 tMJE-t-S 
Hocoyny^A^gmf-SIESi— f-T-fe 0 (xy 
:?-f F/MyF/i%S) . y-7y-F24 6- 

2 4 7 t3Mli5f I. ~0<^TPi/7 A^^fi-ri)iEffl:i- 

■tf'-f$)i>o xyy-f F/Fyy Fr-^'^-y 
6 0 0tlEI4Six/Sxy^^ F;Fy y F'lfffgfi, y-F 
220i:y-F236H>PfE^f -l.4'rBl^-*^fc^l)« y 
-F'220. 236^iimt:ML. xy^'-fF/i^yy 
Ft-:J"<.-X6 0 0t;:fail:?ii3txy:5'^ F;Myh 

K L/irn ^' y ^ >y ^- y t Sr3'V -^Tx y F ;W 



y V^-^^-x 6 0 0*^4^$iiS:tr^{±. 07 i:M 
[0038] 7°^^■■^A^^°-y 

[0 0 3 9] v>°.y^r_>>-s(;Mt"Sxy^-f V)]/:^^ 

mm±. T (s) tDy-Hi^ijutffif^sfi^pf'rHi^- 

-fe-y h h'y7°^-S-t;I^4 0 O^^i^IESit^S 

^%^<n V i; , ^ ^-f ti^ofi S^o - ■/ h -fe ■/ 

SlJ*)E!iT/^il^lH\ xy^'^ b il-^yb 'If fitter -y 
-yT3?-5-f;b4 0 Oc?)F|iJPfi§tl/t-fe^;i.T;^^ U-t 

[0040] yu^x 

JiJii^iat:. ^-y HxyK-9--v^'-3 0 0(i:|I|7t:^ 
Lfcxy^-^ h;k;'<y bttfgiSfiro-bx? 0 o^Mf 
U . iEig^-- f - -C- J5 7°o 7 A 7 ^' t"!) 

'^^-x 6 0 0 ^4^LKfrr S , Wt<r)i^ 0 \,z^ xy^ 

b;l/^>'bT-^'^--X6 0 0 mii:;0^'IES:3-— tf- 

tDtc<^^g^r=5r-7'J-2 0 0cO#y-Kt3WL-C. ^ 

[004 1 ] fie-^T. xy^-^ \-)v^vymkmtru 

§(710), ^<m<z. xy^^ h/MV-bfffglBfi 

7°n-feX7 0 0i±7U-7-Kc?)Jl/h't>y fT (S) ^ 
H'^ttl.o ^f0^f7-7y-iiIE5it:^-^^''y b^r-y b S 

7'rni5^9AM!3iJi^pc7)ft:^T >?.i;3 y b>f y^- 
^^VP^fcii^Sii-S ( 7 2 0 ) « -ocorn^^Ai^iJ 

-f -f 7-X-$) !> Ji-^t: . 3 y -fe ^ A T ^ 7' t #i. i^til> o 
[0 0 4 2] ^LT. (s) ;^^'#-f y:?'-ysvi/ 

t^MtT^-Oft^ni. (7 3 0) , if^^-cO-fe^/bk 

ii:#-f y^'-vsvt/t:)^^i>^A-T (s) coy-bt 
Tfm§ixl.MJtGt-|>i5^^W7°n^-5A|i!?iJ^p;&^'^feJ3g 
^tvh (740) 0 *f^tc, *)il$ii^cxy^-f b;^;< 
y Mf#g3&i'v>y h'xy b'Hf-y\'-3 0 0 i-^T-fe •/ h 

>y 5-j-;P4 0 o^i: :?''>yn- ( 7 5 
0 ) , 7°n^'-^i.MfflI*mT^I> ( 7 6 0 ) „ 
[0 0 4 3] y-^^''y b-fe'y bStCfeft-S-f y^'-AVL' 



Ifi2 001-36517 (P2001-36517A) 

^N°'y^-S/Sn-I.Tn^'7Ai^m 
■^^Ml^T^-y >y b-b -y h S^&im^ixl. » -9-7'7 U 
-*i^-^'>y N-b -y b S ^JE€t;^-'^'-t-|. J: o =5:7 U 
- 7 - b' i^it/h-b -y b J; 3 , 

[i[4] 

)=5 V A^O. |Z| (J:S/h 

to^-^--T-7°n^-7 AfisiJ^ p to|i--f y ^-Avui 
(S) j?^§n(?)=3f- 
7U-2 0 0fc^;b55r{m«f^'?>55rV^, #oT, xy^ 

b;i^yy b'lffgEfi7°n-t:X7 0 OiOn^ramiiSfii 

(S) ■ ncO:t-^-i:^l>o |s|«t:. ft/h;^;^'^:-T 

(s) I (s) ■ xvm~f-)Lt£h, M 

f-y b7V7^ -/^xn^^-th^xoyy'W/^ 
[ 0 0 4 4 ] c:<?) i 0 >5r#-b f >y A°.y ^-i;cDxy 

^-f b/b^ybli, ^-7U-2 0 0(2fc(tl>#-c0^ 
-T-3^l>o ttz. v;^■^bb°■y^^^°■y^-->^'^I^J{tfflil 
L'C-T-fey7Vk-ri)Ci:j!)^t"S-l., xyj?^ b;L';'<yb 
ffifgJi^li. v/l/f - b e -y >y y-i/><i>!5rS|®^ 
c7) b -y X t^fri, df-co-b >y b -Cfc S , 

l\ 7V7 ^ -y^Xxit^J: DS£StL|,yN°-y^-i^"{iR| 
t^§f00 7V7^' -y^X^fflV>-r7°n^"^A^SM-t 
I, i a t ^: -y b b 'y 7° y - 5 -^;l/4 0 0 icM LT3i^ t 

[004 5] ±jiiOj; 3 -^-y bxy b-f-A-3 0 
0(±, ll8t;7K-r7°n^"^i^lSfi7°n-trX8 0 OSrMf 
L. 7°n^'-^A|i;5iJTp£fflV^T7°n/5i.£ftlML)3i 

^> tl/i TO ^--^ AliSiJ^ p tiSo' V -^T 7°n ^ A ^ - k 

p^#l>o 7°n^"7AgSft7°n-feX8 0 Oii. Hlgt^jl 

fixT'y7^mti±. Ji-77-^ y^v^tmr^t-^-t 

firn-feXS 0 Oiii^ftr <#rn^5A$:MS!|-r§i 

(81 0) „ 

[0046] ^oMkz^ 7°n/^i.Mt7°n-feX8 0 0 
(i:Tn:/9i^T-^<-X5 0 0>{)»^)<7)rn^7AtM 

jE-ri.Tn^'^AiiS'J^P^KDtiiL (82 0) . -^-i?) 

(830) . ^ LT7°n77A{ilutOXf 7 7T-Iti:$ 
^litTniJ^^A^-kp^fflUTBi^'ft^ni. (84 
0) „ mUz^ rn^^7AEftrn-bX8 0 0{±. To 

Aiis'JTp t (iBi-^^t^it^crn^-^A^jim 

L ( 8 5 0 ) . ru^'^ymmwmth ( 8 6 o ) . 

[0047] To^'-^AfiSiJ^ P{4, 7°u^-7Affilii^ 
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%wmt^^-)v±.\,zmm'^^zmtti> zba^tt i> . 

[0048] ±ai<7)J;dt, -fe>ybh>yr^-S-^;U4 

0 0(±H9t:^L/-CT3-K7°n-feX9 0 Olr^ffL. 
r n ^" ^ A - k p ^ # S fcto tIEM $ ii/ix y f 

rn-feX9 0 0{i:#^iOf-ry^vWcf-jL-:iyiJ''S-tt 
n-bx^lB*6-r'& (910) , 

[0 0 4 9] ^ff^mz. ^'vVV-yr^-^-flVAOQ 
nm^it S ii/t 7° n 7 A i3 j; umt $ ti/S 7°n 7 A 

iiS'j^p^#tfiit3^fi^£gftt-i. ( 9 2 0 ) . t3 

-Krn-fej^9 0 0{4xy^>f N;P^y bx— X 

6 0 0*^4IS'li$ii:txy^-^ b;t/;^y b'[f|g^lXDtH 
•r ( 9 3 0 ) „ iIfiStl/t7°n^-^A&'^tf;&^t-3;&^& 
Wirt-^ (940) . {,UXr'y7°9 4 0ic-Cgfi7°a 

-^'<-X6 0 0tTi¥ftt^l^i;WiTS^X/'cii'&. W 
StdiSfKS^i/'cTn^-^At^Mt-l.xy^^ ^;^^y 

b{i^< . ru^ymmimi^t ( 9 s o ) „ 

[ 0 0 5 0 3 t*^ i L^m^iif^rni/^Ai^srFf 

:ff-tl>xy^-f hyi/j'^y hT-^'<-x6 0 Otxyh 
y , W§(ciiJS^K § ^i^t 7°n / ^ A 

xy^>f h7Myh*»'^l.„ l¥-5T. xy;?-f vtv^y 
bT-^<--X6 0 0t7)xy b y-:^j^A,lXi9ait/'c4>ra 
=^-ki^fflV^T7°n^"^A=3f-kp*i|tg:Sixl. ( 9 6 
0) „ e^Wtc(±. 7°o^-7A^-kp}±lilT«i:oic 
rOiJ^^A^rJi^piO ( n - r ) ffiV-^^f-^-f^h'^y h 

[00 5 1 ] gf^t:. ^(7)7°n^-5Aii;#A>ix/-c7°n^- 
^A^'f-kp SrfflV^Tftll5tSix (9 70) , Tn^'^A 
f^J»&*IT-ri. (980) . ijLmt^tLfzr 
viifyAtm^<7)oc.y^^ h)\^^yhcr)—3X'li^j:\'^X 
o^j:^. mmrvi^^yJ^bbiiiz^mLtiTui^yA 

lis'j^ p toffifih' -/ h iz-^jktimmmwi^T-p 

|,xy^-f hJlyiyhWrnt^J^y^^-^ b/U-^iyhr-^' 
6 0 0 (C{±^V ^.r i; ;^)iSgrS> 1^ . 



[00 52] tfz. T3-FTP-feX9 0 0{±||^^- 
Tx y >f y b I, i:' 0 W-f S lite. 
ttz. r3-H7°n^rX9 0 0ti:ftfcOt. 31117° 

fcx^^yfc. T~m'mm.4 2oi.zmmm: 

m^zM^imm^~^nxm^<^:ty^-^ hjv^yhi 

[0 0 5 3] ji^^^N-yyjL[lSr_ 

lu^^o i 0 fc. t UN "/ '^^mLm^imy t' -y 

V^fiim%mi. P^-k.co-? y h°y ^-iiM^ y^' 
^-{zmt^'mmxiimmmm-fh z. t \±x-^ ^t- 

[ 0 0 5 4 ] ^N-y yAMaHi±-OtO#l4^f*5tt-<^ 

•c-i>i., mikz. ^\'v-^:i,fmmznLx-i ^--j<7y^ 
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L Tit le of laTentioQ 

Method and System For Tiaflsni tunf A Program Ha?iig Restricted Access 
t(i An Ecd-uUf 
2 , C 1 a ims 

1 . A method for transmitting a program having restricted access to an end- 
user, said method compiisiag the steps of: 

assigning a program identifier to said program, said program identifier 
having a binary vatue; 

defining at least one master key; 

encrypting said program using a program key, said program key obtained 
by applying at least one hash ftinctiou to said master key based on a binary value of said 
program identifier; and 

transmitting said encrypted program together with said program identifier 
to said end-user. 

2. The method according to claim 1, wherein said program identifier 
consists of n bits, and one of said hash fiinctions is applied for each of the n bit positions 
of tlie program identifier dependiiig on the correspondii^ bit value of the program 
identifier. 

3- The method according to claim 1, iurther comprising the step of 
providing entitlement information to said end-users based on the set of programs 
obtained by said end-user 

4- The method according to claun 3, wherein said entitlement information 
inckides a portion of a key tree based on the set of programs obtained by said end-user. 

5 The method according to claim 3, wherein said end-user uses said 

received program identifier to derive said program key from said stored entitlement 
information. 



S. The method according to claim 1, wherein said program identifier is 

interleaved with the transmission of said encrypted program. 
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/. The method according to claim 1, wherein said program identifier is 

transmitted on a control channel. 

g. A method for transmitting a program to a plurality of end-users, said 

method comprismg the steps of: 

encrypting said program using a program key, said program having a 
program identifier, said program key obtained by recursively applying a hash function to 
a master key based on the binaiy value of each bit position of said program identifier; 
and 

transmitting said encrypted program and said program identifier to smd 

end-user. 

9. The method according to claim 8, ivherein said program identifio' 
consists of n bits, and a hash fiinction is applied for each of the n bit positions of the 
program identifier depending on the correspoiiding bit value of the program identifier. 

10. The method according to daim 8, fiirther comprising the step of 
providing entitlement information to said end-users based on the set of programs 
obtained by said end-user 

1 1 . The method according to claim 10, wherein said entitlement information 
inchides a portion of a key tree based on the set of programs obtained by said end-user. 

12. The method according to claim 10, wherein said end-user uses said 
received program identifier to derive said program kay from said stored entitlement 
information. 

13. The method according to claim S, wherdn said program identifier is 
interleaved with the transmis^on of said enciypted program. 



14. The method according to claim 8, wherein said program identifier is 

transmitted on a control channel. 
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15. A method for transmitting a program associated with at least one package 
of programs to a plurality of aad-users, said method comprising the steps of 

providing entitlement information to said end -users based on the set of 
programs obtained by said end-user, 

encrypting said program using a program key, said program having a 
program identifier, said program key obtained by recursively applying a hash function to 
a master key based on the binary value of each bit position of said program identifier; 
and 

transmitting said program identifier with said encrypted program to said 
end-users, said end-users deriving said program key from said stored entitlement 
information if said end-user is entitled to said program. 

16. The method according to claim 15, wherein said program identifier 
consists of n bits, and one of said hash functions is applied for each of the rt uit positions 
of tlte program identifier depending on the corresponding bit value of the program 
identifier. 

17. The method according to claim 1 5, wherein said entitlement information 
includes a portion of a key tree based on the set of programs obtained by said end-user. 

18. The method according to claim 15, wherein said end-user uses said 
received program identifier to derive said program key fi-om said stored entitlement 
information. 

19. The inethod according to claim 15, wherein said program identifier is 
interieaved with the transmission of said encrypted program. 

20. The method according to claim 15, wherein said program identifier is 
transmitted on a control channel. 
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21. A method for decoding an encrypted program, said method comprising 

the steps of: 

receiving entitleoient ijiforraation from a provider of said program, said 
entitlement information including a portion of a key tree based on a set of programs 
obtained by said customer; 

receiving said eiiciypted program and a program identifier, said encrypted 
program enciypted with a program key; 

deriving said prograjn key from said program identifier and said stored 
portion of said key tree; and 

decrypting said encrypted program using said program key. 

2^- The method according to claim 21, wherein said program identifier 

consists of n bits, said master key is placed at the root of said key tree and said key tree 
is generated by applying a hash fimction to each node, until n tree levels have been 
created. 

^- A method for decoding an encrypted program, said method comprising 

the steps of: 

receiving entitlement information from a provider of said program, said 
enthlsment information including at least one intermediate key from a key tree based on 
a set of programs obtaiiied by said customer; 

receiving said encrypted program and a program identifier, said encrypted 
program encrypted with a program key; 

deriving said program key from said program identifier and said stored 
intermediate key by recursively applying a hash function to said intermediate key based 
on the binary vahie of said program identifier, and 



decrypting said encrypted program using said program key. 
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The method accoiding to claim 23, wherein said program identifier 
consists of n bits and said intermedmte key coirespotids to an intermediate node at a 
level r of said key tree, and wuerein said hash function is applied to said mtennediate key 
n-r times. 

25. A system for transmitting a program having restricted access to an end- 
user, said system comprising: 

a memory for storing a master key and computer readable code; and 

a processor operativcly coupled to said memory, said processor 

configured to: 

assign a program identifier to said program, said program identifier 
having a binary value; 

define at least one master key; 

encrypt said program using a program key, said program key obtained by 
applying at least one hash function to said master key based on a binary value of said 
program identifier; and 

transmit said encrypted program together with said program identifier to 

said end-user. 

26. A system for transmitting a program havinn restricted access to an end- 
user, said system comprising: 

a memory for storing a master key and computer readable code; and 

a processor operatively coupled to said memory, said processor 

configured to: 

encrypt said program using a program key, said program having a 
program identifier, said program key obtained by recursively applying a hash function to 
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a master key based ontfis binary value of each bit position of said program identifier; 
and 

transmit said encrypted program and s^d program identifier to said end- 
user. 

27. A system for decoding an encrypted program, said system comprising: 
a memoiy for storing a master key and computer readable code; and 

a processor operatively coupled to said memory, said processor 

configured to: 

receive entitlement information from a provider of said program, said 
entitlement information including a portion of a key tree based on a set of programs 
obtained by said customer; 

receive said encrypted program and a program identifier, said encrypted 
program encrypted with a program key; 

derive said program key from said program identifier and said stored 
portion of said key tree; and 

decrypt said encrypted program using said program key. 

28. An aiticle of manufacture comprising: 

a computer readable medium having computer readable code means 
embodied tiiereoa said coinputer readable program code means comprising: 

a step to assign a program identifier to a program, said program identifier 
havii^ a bimiry value; 

a step to define at least one master key; 
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a step to encrypt said program using a program key, said program key 
obtained by applying at [east one hash function to said master key based on a binaiy 
value of said program identifier, and 

a step to transniit said encrypted program together with said program 
identifier to said end-user. 



29 An article of manufacture comprising: 

a computer readable medium having computer readable cods means 
embodied thereon, said computer readable program code means comprising: 

a step to receive entitlement information from a provider of a program, 
said entitlement information including a portion of a key tree based on a set of programs 
obtained by said customer, 

a step to receive said encrypted program and a program identifier, said 
enci^pted program encrypted with a program key; 

a step to derive said program key from said program identifier and said 
stored portion of said key tree, and 

a step to decrypt said encrypted program using said program key. 



Detailed Description ol InventioQ 
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Field of the Invention 

The present invention relates generally to a system for restricting access to 
transmitted programming content, and more particularly, to a system for transmitting an 
encrypted program together witli a program identifiBr which is used fay a $et-top 
terminal, together with stored entitlement iofbrmation, to derive the deciyption key 
necessary to decrypt the program. 

BactaETOund of the Invention 

As the number of channels available to television viewers has increased, along 
with the diversity of the programming content available on such channels, it has become 
increasingly challenging for service providers, such as cable television operators and 
digital satellite service operators, to olTer packages of channels and programs thit satisfy 
the majority of the television viewing population. The development of packages that 
may be offered to customers is generally a marketing fimction. Generally, a service 
provider desires to oflfer packages of various aiTes, &om a single program to all the 
programs, and various combbations in between. 

rhe service provider typically broadcasts the television programs from a 
transmittBr, often referred to as the "head-end," to a large population of customers. 
Each customer is typically entitled only to a subset of the received prognunming, 
associated with purchased packages. In a wireless broadcast environment, for example, 
the transmitted programming can be received by anyone with an appropriate receiver, 
such as an antenna or a satellite dish. Thus, in order to restrict access to a transmitted 
program to authorized custamBrs.^ho have purchased the required package, the service 
provider typically encrypts the transmitted programs and provides the customer with a 
set-top termicud (STT) containing one or more decryption keys which may be utilized to 
deciypt programs that a customer is entitled to. In this manner, the set-top terminal 



(23) S2 001-36517 (P2001-36517A) 



1 Bleichenbadier 1-8 

receives encrypted transmissions and decrypts the programs that the customer is entitled 
to, but nothing else. 

In order to minimise piracy of the highly sensitive information stored in the set- 
top terminals, including the stored decryption keys» the set-top terminals typically 
contain a secure processor and secure memory, typically having a capacity on the order 
of a few kilobits, to store the deciyption keys. The secure memory is generally non- 
volatile, and tamper-resistant In addition, tlie secure memory is preferably writable, so 
that the keys may be reprogrammed as desired, for example, for each billing period. The 
limited secure memoiy capacity of conventional set-top terminals limits the number of 
keys that may be stored and thereby limits the number of packages which may be ofFsred 
by a service providei. It is noted that the number of programs typically broadcast by a 
service provider during a monthly billing period can be on the order of 200,000, 

In one variation^ cojiventional set- top terminals contain a bit vector having a bit 
entry corresponding to each package of programs offered by the service provider. If a 
pardcuiar customer is entitled to a package, the corresponding bit entry in the bit vector 
stored in the set-top terminal is set to one CM"). Thereafter, aU programs transmitted by 
the service provider are encrypted with a single key. Upon receipt of a pven program, 
the set-top terminal accesses the bit vector to determine if the corresponding bit entry 
has been set. If the bit entry has been set, the set-top terminal utilizes a single stored 
decryption key to dectypt the prt^ram. While, in theory, flexibility ia achieved in the bit 
vector scheme by providu^ a bit entry for each package (a package generally consists of 
one programX the length of the bit vector would be impractical in a system transmitting 
many programs in a single billing period. In addition, access control in such a system Is 
provided exclusively by the entries in the bit vector and is not cryptographic. Thus, if a 
customer is able to overwrite the bit vector, and set all bits to one ("1"), then the 
customer obtams access to all programs. 

In a further variation, programs are divided into packages, and all programs in a 
given package arc encrypted uang the same key. Again, each package typically 
corresponds to one television channd. The set-top terminal stores a decryption key for 



(24) S2 001-36517 (P2001-36517A) 



5 Bleichenbacher 1-8 

each package the customer is entitled to. Thus, if a program is to be included in a 
plurality of packages, then the program must be retransmitted for each associated 
package, with each transmission enccypted with the encryption key correspondiiig to the 
particular package. Although the access control is cryptographic, the overhead 
associated with retransmitting a given program a mmiber of times discourages service 
providers from placing the same program in a number of packf^ges and thereby limits 
flexibility in designing packages of programs. 

While such previous systems for encrypting and transmitting programming 
content have been relatively successful in restricting access to authorized customers, they 
do not pennit a service provider, such as a television network, to offer many different 
packages contaioii^ various numbers of programs to customers, without exceeding the 
limited secure memory capacity of the set-top terminal or significantly increasing the 
overhead. United States Patent Application Serial Number 08/912,186, filed August 15, 
1997 and assigned to the assignee of the present invention, heicinafter referred to as the 
"Vspace System," discloses a cryptographic method and apparatus for restricting access 
to transmitted pfpgramntii^ content. 

Each program in the Vspace System is enciypted by the head-end server prior to 
transmission, using a program key, Kp. Each of the program k^ is a linear combination 
of a defined set of master keys. A/. A program identifier identifying the program is 
transmitted with the enciyptsd programming content. The customer's set-top terminal 
can derive the decryption key from only the received program identifier, p, and 
previously stored entitlement information. The Vspace System provides a cryptographic 
access control mechanism, while permitting flexible packages (since the program does 
not need to be retransmitted for each associated package) without significantly extending 
the program header (only the program identifier is transmitted with the program). 

Generally, encrypted programming content is transmitted by a service provider 
using a transmitter, or head-end server, to one or more customers. According to one 
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aspect of the invention, a program identifier, p, used to identify the program is 
transmitted to the customer with the programming content. Each customer has a set-top 
terminal or another mechanism to restrict access to the transmitted multimedia 
information using deciyption keys. The set-top terminal receives aititlement 
information from the head-end, corresponding to one or more packages of programs that 
the customer is entitled to for a given period. 

Hach program is encrypted by the head-end server prior to transmission, using a 
program key, Kp, which may be unique to the program. In addition to transmitting the 
encrypted program, the head-end server transmits the program identifier, p. to the set- 
top terminal. The set-top terminal uses the received program identifier, p, together with 
the stored entitlemeiit informatioa, to derive the decryption key necessary to decrypt the 
program. In this manner, if a customer is entitled to a particular program, the set-top 
termiiial will be able to derive the encrypted prograin key, t^, using the stored and 
received information, and thereafter use the program key, Kp, to decrypt the encrypted 
program. In various embodiments^ the program identifier, p, can be interleaved with the 
program portion or transmitted on a separate dedicated control channel. 

According to one aspect of the invention, each of the Jk-bit program keys, Kf, 
used to encrypt transmitted programs is obtained by applying one or more pseudo- 
random hash functions, H, to a master key, m. In one implementation, a lengtb-doublii^ 
hash function, II, is utilized. Thus, the hash function, H, takes a k-hix binary value and 
produces a binaiy vaUie having a length of 2k. The output of the hash function, H, can 
be represented as a pair of k-hit binary values, Ho and Hi, where Ho is referred to as the 
left half of the output of the hash function, and Hi is the right half of the output of the 
hash function. 

In an ilhistrative implementation, a program key, Kp, is obtained by recursively 
applying a hash function. Ho or Hi, to the master key, m. dependii^ on the 
corresponding binaiy value of each bit positicMi of the prc^ram identifier, p. Thus, if the 

program identifier, o, consists of n bits, one of the hash ainctions, Hp or Hi, is apphed 
for each of the n bit positions of the program identifier, p, depending on the 
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corresponding bit value of the program identifier, p. Iidtially, one of the hash functions. 
Ho or Hi, is applied to the master key, m, depending on the hinary value of the most 
significant bit of the program identifier, p. Thereafter, for each of the remaining (n-1) bit 
positions, one of the hash fiiactions, Ho or Hi, is applied to the result of the previous 
hash operation, depending on the binary value of the corresponding bit The calculation 
of the program key, Kp can be represented as follows: 

The hash operation can be repiesented in terms of an n-level binary tree, T» 
referred to as the key tree, with the master key, placed at the root of the tree. The 

tree is generated by applying the hash functions Ho and Hi to each node, until the desired 
number of tree levels (n) have been created. The program keys, Kp, correspond to the 
leaf nodes at the bottom level of the tree. The binary index (and likewise the program 
idemifiers, p) associated with each program key, Kp, corresponds to the path through the 
key tree finom the root to the desired leaf node. Thus, the mdex or labd of a ^iven node, 
II, is the concatenation of the labels on the edges on the path from the root to the node u. 
T(u) denotes the subtree rooted at node «, or the set of program identifiers, 
corresponding to the leaves in the subtree of node For an internal node, w, at depth r 
ia the key tree, with a partial program identifier, p, {ui, . . , , Ut)» the keys of any program 
in the subtree T(u) cam be computed by activating the hash function n - r times. 

A more complete understanding of the present invention, as well as further 
features and advantages of the present invention^ will be obtained by reference to the 
following detailed description and drawings. 

Brief Description of the Drawings 

FIG. 1 is a schematic block diagram illustrating a system for transmitting 
encrypted progranuning content in accordance with one embodiment of the present 
invention; 
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FIG. 2 is a conceptual representation of an exen^jiary key tree in accordance 
with the present invention; 

FIG. 3 is a schematic block diagram of an exemplary head-end server of FIG. 1; 

FIG. 4 is a schematic block diagram of an exemplary set-top terminal of FIO. 1; 

FIG. 5 illustrates a sample table from the prosram database of FIG. 3; 

FIG. 6 illustrates a sainple table from the entitlement database of FIG. 4; 

FIG. 7 is a flow chart describins an exemplary entitlement information 
distribution process as implemented by tlie head-end server of FIG. 3; 

FIG. 8 is a flowchart describing an exemplary program distribution process as 
implemented by the head end server of FIG 3; and 

FIG. 9 is a flowchart describing an exemplary decode process as implemented by 
the set-top terminal of FIG. 4. 

FIG. 1 shows an illustrative network environment for transferring encrypted 
multimedia information, such as video, audio and data, from a service provider using a 

transmitter, such as a head-eiid server 300, discussed further below in conjunction with 
FIG. 3, to one or more customers having set-top terminals 400-401, such as the set-top 
terminal 400, discussed further below in conjunction with FIG. 4, over one or more 
distnbutiou networks 1 10. As used herein, a set-top terminal indudes any mechanism to 
restrict access to the transmitted multimedia infonnation uang deciyption keys, 
including, for example, a computer configuration or a telecommunications device. It is 
possible for software executed by the set-top terminal to be downloaded by the service 
provider The distribution network 110 can be a wireless broadcast network for 
distribution of programming content, such as a digital satellite service ("DSS^"), or a 
conventional mred network, such as the cable tele^dsion network ("CATV), the Public 
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Switched Telephone Network {"PSTN''), an optical network, a broadband integrated 
services digital netwofk ("ISDN*^ or the Internet. 

According to a feature of the present invention, the set-top terminal 400 
intenninently receives entitlement information from the head-end server 300, which 
permits a customer to access programs that the customer is entitled to for a given time 
interval, such as a billing period. As used herein, a package is a predefined set of 
programs, and a given program can belong to one or more packages. A program is any 
continuous multimedia transmission of a paidcular len^h, such as a television episode or 
a movie. The entitlement information can be downloaded from tiie head-end server 300 
to the set-top terminal 400 usiiig any suitably secure uni-directional or li-directional 
protocol, as would be apparent to a person of ordinary skill. 

PROGRAM KEYS AND PROGRAM IDENTIFIERS 

As discussed further below, each transmitted program is encrypted by the head- 
end server 300 using a program key, K?, which may be unique to the program. For a 
detailed discussion of suitable encryption and security techniques^ see B. Schneier, 
Applied Cryptography (2d cd. 1997), incorporated by reference herein. In ad^tion to 
transmitting the encrypted program, the head-end server 300 also transmits aii /7-bh 
program identifier, p, to the set-top terminals 400, which may be utilized by the set-lop 
terminal 400, together with stored entitlement information, to derive the decryption key 
necessary to decrypt the program, in a manner described fiirther below. As discussed 
below in a section entitled ASSIGNING PROGRAM IDENTIFIERS TO PROGRAMS, 
the program identifiers, p, are not chosen arbitrarily. In one prefeiTcd embodiment, the 
program identifier, p, consists of a thirty-two (32) bit value that may be transmitted, for 
example, in the ECM field defined in the MPEG-2 standard. In this manner, if a 
customer is entitled to a particular program, the set-top terminal 400 will be able to 
derive the program key, Kp, from stored and recdved information, and tliereaftcr use the 
program key, Kp, to deciypt the encrypted program. 



(29) S2 001-36517 (P2001-36517A) 



8 Bletchenbacher 1-8 

According to a further feature of the present invention, each of the A-bit program 
keys^ Kp, used to encrypt transmittsd programs is obtained by applying one or more 
pseudo-random hash functions to a master key, m. For a detailed discussion of suitable 
pseudo-random hash functions, see, for example, O. Goldreich et al, "How to Construct 
Random Functions," J. ACM, 33:792-807 (1986), incorpwated by reference herein. 

In one implementation, a oytographically-securc, length doubliiig, hash function 
is utilized, as follows: 

where» k is the length of the program key, Kp. Thus, the hash function, H, takes a A-bit 
bmaiy vahie and produces a binary vahie iia^ a leqgth of 2k. The ou^t of the hash 
fiincdon, H. can be represented as a pair of Jt-bit binary values. Ho and Hi, where Ho is 
referred to as the lefl half of the output of the hash function, H {most significant bits), 
and Hi is the right half of the output of the hash function, H (most significant bits). Ho 
and Hi can be said to be separate hash functions. In one illustrative implementation, 
when k equals 160, H could be defined by using the secret hash standard, SHA-1, as 
defined in Secure Hash Standard, National Institute of Standards and Tedmology, NIST 
FIPS PUB 180-1, U.S. Dept. of Commerce (April, 1995), incorporated by reference 
herein. In other words, Ho equals SHA-I (;^|0). and Hi equals SRVl (a|1X where 0 and 
1 are all-zero and alt-one bit sttiiigs, respectively. 

According to a fUrther feature of the present invention, a program key, Kp. is 
obtained by recursively applying one or more hash fimctions to the master key, m, 
depending on the binary value of the program identifier^ p. In one implementation, the 
program key, Kp, is obtained by recursively applying one of the hash functions, Ho or Hi, 
to tlie master key, tn, depending on the binary value of each bit position of the program 
identifier, p. Generally, if the program identifier, p, consists of n bits^ one of the hash 
fimctions. Ho or Hi, is applied for each of the n bit positions of the program identifier, p, 
(starting with the most significant bit) depending on the corresponding bit value of the 
program identifier, p. Initially, one of the hash functions. Ho or H|. is implied to the 
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master key, m, depending on the binary value of the most significant bit. Thereafter, for 
each of the remaining (n-1) bit positions, one of the hash functions, Hq or Hi, is applied 
to the result of the previous hash operation, depending on the binary value of the 
corresponding bit As discussed below in a section entitled THE KEY TREE, the hash 
operation can be represented as follows: 

As previously indicated, the head-end server 300 will transmit the program 
idendtier, p, with the encrypted program. Thus, giveii the program identifier, p, the s«t- 
top terminal 400 must obtain the program key» Kr, used to decrypt the recdved 
program. As previously indicated, the program key, Kp, is obtained by recursively 
applying one or more hash functions to a master key, m, depending on the binary value 
of the program identifier, p. The program keys, K^, must be obtained by the customer's 
set-top terminal 400 indirectly using the stored entitlement information, discussed below, 
and the received program identifier, p. 

THEKEYTREH 

As previously indicated, a program key, Kp, is obtained by recursively applying 
one or more hash functions, H, to a master key, m, depending on the binary value of the 
program identifier, p. A single ^-bit master key, m, is utilized. The bits of the program 
identifier, p, are denoted by p = (pu - rPt), where pi is the most significant bit and p„ is 
the least significant bh. According to a feature of the present invention, the encryptiun 
key, for a program with a program iueotifier^ p, is defined as follows: 

The iiash operation can also be repicsented in terms of a fiill n-level binary tree 
T, referred to as the key tree 200, shown in FIG. 2. Tlic illustrative key tree 200, shown 
in FIG. 2, corresponds to an implementation having program identifiers, p, consisting of 
three bits. As shown in FIG. the master key, m, is placed at the root 210 of the tree 
200. The program keys, Kp. c(vrespond to the leaf nodes» such as the leaf nodes 240- 
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247. Tlie index associated with each program key, Kp, shown in FIG. 2, such as the 
Index 01 1 associated with the program key, Kp, of the leaf node 243, indicates the path 
throush the key tree 200 from the root 210 to the leaf node 243. For example, the 
program key, Kp, of the leaf node 243 is obtained by following a left edge (Ho) from the 
root 210, a right edge (Ht) from the node 220 and a right edge (Hi) from the node 232, 
In other words, lio is initially applied to the master key, m, then Hi is applied to a frr&t 
hash result, and Hi is again applied to the second hash result The resulting value is the 
program key, K^i I. 

Thus, the label of a given node, u, such as the node 243, is the concatenation of 
the labels on the edges on the path fiom the root 210 to the node u. The label of each 
node can be identified with the program identifiers, p. Tfu) is utilized to denote the 
subtree rooted at node u, or equivalently, to denote the set of program identifiers, p, 
corresponding to the leaves in the subtree of node u. For an internal node, r/, at depth r 
in the key tree 200, with a partial program identifier, p, (ui,,.., Ur), the keys of any 
program in tiie suutree T(u) can be computed. The key of any program in the subtree of 
node If is computed by activating the hash function n - r times. Specifically, the 
appropriate hash function, lio or Hu is utilized as directed by the value of each of the n - 
r low order bits of the program identifier, p. Thus, the program key, Kp, corresponding 
to a node » can serve as an entitlement for all programs in the subtree of node u. 

If the function H is a pseudo-random generator, then the mapping of the program 
keys, Kp {0,1}" {0^1}^ parameterized by the master key, m, is a pseudo-random 
function. See. for example, O. Goldreich et al.. "How to Construct Random Functions," 
J. ACM, 33:792-807 (1986), incorporated by reference above 

SYSTEM COMPONENTS 

FI& 3 is a block diagram showing the architecture of an illustrative head-end 
server 300. The head end may be associated v^th a television network, a cable operator, 
a digital satellite service operator, or any service provider transmitting encrypted 
programming content. The head-end server 300 may be embodied, for example, as an 
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R5 6000 server, manufactured by IBM Corp., as modified herein to execute the 
functions and operations of the present inventioiL The head-end server 300 includes a 
processor 310 and related memory, such as a data storage device 320. The processor 
310 may be embodied as a sir^le processor, or a number of processors operating in 
parallel. The data storage device 320 and/or a read only memory (ROM) are operable to 
store one or more instructions, which the processor 310 is operable to retrieve, interpret 
and execute. 

As discussed above, the data storage device 320 includes a master key database 
350 for storing the master key, m. The master key, m, may be updated, for example, 
once per billing period. In addition, as discussed further below in conjunction with FIG. 
5, the data storage device 320 includes a program database SOO. The program database 
500 indicates the program identifier, p, and associated packages corresponding to each 
program. In addition, as discussed further below in conjunction with FIGS, 7 AND 8, 
the data storage device 320 includes an entitlement information distribution process 700 
and a program distribution process 800. Generally, the entitlement information 
distribution process 700 generates and distributes the entitlement information required by 
each customer to access entitled programs. In addition, the program distribution process 
800 derives the program key, Kp, based on the program identifier, p, assigned to the 
program in order to encrypt and transmit the program with the program identifier, p. 

The communications port 330 connects the head-end server 300 to the 
distribution network 110, thereby linking the hcad-cnd server 300 to each connected 
receiver, such as the set-top terminal 400 shown in FIG 1. 

FIG. 4 is a block diagram showing the architecture of an illustrative set-top 
terminal 400. The set-top terminal 400 may be embodied^ for example, as a set-top 
terminal (STT) associated with a television, such as those commercially available from 
General Instniments Corp., as modified hcran to execute the functions and operations of 
the present invention. The set-top terminal 400 inchides a processor 410 and related 
memory, such as a data storage device 420, as well as a communication port 430, which 
operate in a similar manner to the hardware described above in conjunction with FIG. 3. 
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As discussed further below in conjuncdoii with FIG. 6, the data storage device 
AW includes an entitlement database 600 that may be storsd in a secure portion of the 
data storage device 420. The entitlement database 600 inchides those portions of the 
key tree 200 tliat are necessary to derive the program keys, Kp, for the programs to 
which the customer is entitled In addition, the data storage device 420 includes The hash 
functions. Ho and Hi, 440. In addition, as discussed further below in conjunction with 
FIG. 9, the data storage device 420 includes a decode piocess 900, Generally, the 
decode process 900 decrypts programs that a customer is entitled to, by using the 
received program identifier, p, and the stored entitlement inforaution 600 to deiive the 
program key, Kp, and then using the program key, Kp, to decrypt the program. 

FIG. 5 ilhistrates an exemplary program database 500 that stores information on 
each program, p, which will be transmitted by the head-end server 300, for example, 
during a given billing period. Including the packages the program belongs to and the 
corresponding program identifier, p. The program database 500 maintains a plurality of 
recorda, such as records 505-520, each associated with a different program. For each 
program identified by program name in field 525, the program daubase 500 inchides an 
indicaticHL of the corresponding packages to viduch the program belongs tn field 530 and 
die corresponding program identifier, p, in fiekl 535. 

PIG. 6 illustrates an exemplary entitlement database 600 that includes those 
portions of the key tree 200 that are necessary to derive the program keys, Kp, for the 
programs to which the customer is entitled. As previously indicated, T(tt) is utilized to 
denote the subtree rooted at a node «, or cquivalsntly, to denote the set of program 
identifiers, p, corresponding to the leaf nodes 240-247 in the subtree of node ir. For 
example, if a customer is entitled to receive the four programs corresponding to the leaf 
nodes 240-243, the entitlemeat informatioji would consist of the imermediate key 
associated with node 2^0. In this manner, the appropriate hash functions. Ho and Hi, 
440 can be used to derive the program keys, K^, for eacii node 230, 232, 240-243 in the 
subtree of node 220, as necessary. 
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The exemplary entitlement database 600 shown in FIG. 6 corresponds to a 
customei that is entitled to receive the four programs corresponding to the leaf nodes 
240-243, as well as the two programs corresponding to the leaf nodes 246-247, Thms, 
the entitlement iiiformation recorded in the entitlement database 600 consists of the 
intermediate keys associated with node 220 and node 236. For each node 220 and 236, 
the entitlement information recorded in the entitlement database 600 includes the 
intermediate key value, K]^ and Kl^^, respectively, and an indication of the corresponding 
partial program identifier, p. The manner in which the entitlement information 600 is 
generated by the entitlement information distribution process 700 based on packages of 
progranu selected by a customer is discussed below in conjunction with FIG. 7. 

PROGRAM PACKAGING 

Small entitlements can be established for many sets of programs of varying size, 
using the tree scheme of the present invention. A target set, S, is establisbed usmg the 
collection of programs to be packaged. A minimal set of tree nodes \a obtained whose 
subtrees predsely cover the target set, S, as follows: 

T(S) =ZqT such that (J /'(«) = 5, cwaf |Z| is minimal . 

The entitlement information for the package, S, is the set of intermediate keys, 
Ki» held at the nodes of T(S). As indicated above, this set of keys allows the set-top 
terminal 400 to decrypt exactly the programs in S but nothing else. It is noted that, in 
principle, the tree scheme of the present invention can create entitlement information for 
any arbitraiy target set, S. It is further noted, however, that if the program identifiers, p, 
are assigned afbitrarily then the entitiemeat iii&irmAtion may become prohibitiveily large 
fbr the limited secure memory of the set-top terminals 400. 

PROCESSES 

As discussed above» the head-end server 300 executes an entitlement information 
distribution process 700, shown in FIG. 7, to generate and distribute the entitlement 
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informatioii 600 required by each customer to access entitled programs As previously 
indicated, the entidemeiit infonnation 600 consists of the intennediate key value, Kt, and 
an indication of the corresponding paitial pro-am identifier, p, for each node of the key 
tree 200 that is necessaiy to derive the program keyB^ Kp, for the programs to which the 
customer is entitled. 

Thus, the entitlement information distributkm process 700 initially identifies the 
programs selected by the customer during step 710. Thereafter, the entitiemeiit 
information distribution process 700 finds a minimal set of tree nodes» T{SX whose 
subtrees precisely cover the target set» S. The target set, is decomposed during step 
720 into maximal di^oint intervals of consecutive program identifiers, p. It is noted that 
two program identifiers, p, are considered consecutive if the integers corresponding to 
the binary representations are consecutive, A cover, T{S), is then found for each interval 
during step 730. The s«t of Intermediate keys, Ki, and corresponding partial program 
identifiers, p, held at the nodes of the cover, T(S), for each interval are generated during 
step 740. Finally, the generated entitlement iuformation is downloaded by die head-end 
server 300 to the set-top terminaf 400 during step 750, before program control 
terminates during step 760, 

The number of intervals in the target set, S. is referred to as I(S). To compute a 
cover, T(S)» for a single intei val of program identifiers, p, on the order of n tree nodes 
must be visited in a key tree 200 of depth n. Thus, the time complexity of the 
entitlement information distribution process 700 is on the order of I{S)-n. Likewise, the 
si^e of the minimal cover, T(S), is on the order of I(S)-n. Programs with related content 
should be assigned program identifiers, p, that allow them to be packaged efficiently. In 
one impIemeatatkHi, basic packages arc of the form all program identifiers, p, witii a bit 
prefix \i. An entitlement for such a angle-topic package is a single key in the key tree 
^00. Moreover, multi-topic packages can be assembled with no side-eflects. The 
entitlement information is simply the set of keys for the individual topics that comprise 
the multi-topic package. In accordance with the present invention, a package defined by 
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a prefix |i does not allow the set-top tenninai 400 to decrypt programs with a 0 prefix of 
the same length. 

As discussed above, the hsad-end server 300 executes a program distribution 
process 800, shown in FIG. 8, to derive the program key, K?, based on the program 
identifier, p, assigned to the program and the master key, m, in order to enciypt and 
transmit the prograin with the program identifier, p. It is noted that the program 
distribution process SOO, other than the actual transmission step, can be executed offUne 
or in real-time. As illustrated in FIG. 8, the program distribution process 800 begins the 
processes embodying the principles of the present invention during step 810 by 
identifying a program to be transmitted. 

Thereafter, the prograin distribution process 800 retrieves the program identifies', 
p» corresponding to the program firom the program database 500, during step 820, and 
theii calculates the program key, Kp, corresponding to the program during step 830. The 
program will then be encr^Jted dimng step 840 with the program key, Kp, calculated 
during the previous step. Finally, the program distribution process 800 will transmit the 
encrypted program together with the program identifier, p, during step 850, before 
program control terminates during step 860. It is noted that the program identifier, p, 
can be transmitted periodically interieaved throughout the transmission of the program 
mformation, so that a customer can change channels during a program and be able to 
derive the program key, Kp, which is required to decrypt the program. In an alternate 
embodiment, the program identifier, p, can be continuously transmitted on a separate 
control chaimel, such as a Barker channel. 

As discussed above, the set-top terminal 400 executes a decode process 900, 
shown in FIG, 9, to decrypt programs that a customer is entitled to, by using the 
received program identifier, p, and the stored entitlement information 600 to derive the 
program key, Kp, and then usii^ the program key, Kp, to decrypt the program. As 
illustrated in FIG. 9, the decode process 900 begins the processes embodying the 
principles of the present iavention during step 910, upon receipt of a customer 
instiuction to tune to a particular channel 
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Thereafter, the set-top termina] 400 will receive the appropriate signal duriqg 
step 920, inchjding the encrypted program and the transmitted program identifier, p. 
The decode process 900 then retrieves the stored entitlemeiit information from the 
entitlement database 600 during step 930. A test is performed during step 940 to 
determine if with the transmitted program. If it is determined during step 940 that an 
entry does not exist in the entitlement database 600 having a partial program identifier, p, 
that matches the most significant bits of the rec^ved program identifier, p, then the 
customer is not entitled to the selected pro-am and program control terminates during 
step 980. 

IC however, an entry does exist in the entitlement database 600 having a partial 
program identifier, p, that matches the most significant bits of the received program 
identifier, p, then the customer is entitled to the selected program. Thus, the program 
key. Kp, is then calculated durii^ step 960 using the intermediate key» Ki, retrieved from 
the entry of the entitlement database 600. Specifically, the program key, Kp is computed 
by acfivatmg &e appropriate hash function, Hp or Hi, as directed by the value of each of 
the n - r low order bits of the program identifier, p, as Mows: 

Finally, the program is deciypted using the derived program key, Kp, during step 
970, before program coiitrol terminates during step 980. It is noted that if the received 
program is not part of the customer's entitlement, then there is no entitlement 
information in the enfitlement database 600 having a partial program identifier, p, that 
matches the low order bits of the program identifiGr. p, received with the transmitted 
program. 

It is further noted that the decode process 900 can wait for the customer to 
request a particular channel before attemptu^ to derive the decryption keys and 

determine whether the customer is entitled to the requested channel, as described above, 
or the decode process 900 can alternatively periodically scan all chaimels to obtain the 
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transmitted program identifiers, in order to derive the decryption keys for storage in 
the data storage device 420 and predetermine the customer's entitlement. 

SUIT.\BLE IIASH FUNCTIONS 

As previously indicated, if the hash function, H, is a pseudo-random bit generator, 
then the mapping of p -> Kp is provably a pseudo-random fiinction. Thus, if the actual 
hash function, is cryptographically strong, then the encryption keys would be 
unpredictable. Accordingly, if a pirate only has access to the encrypted program 
broadcast, the knowledge that the keys were generated using the tree scheme of the 
present invention does not seem to help in breaking the encryption. Tberefofe, 
essentially the only concern is to ensure that the video encryption algorithm can 
withstand known plaintext attacks. 

The hash function, H, should possess two properties. First, it must be hard to 
compute the input x given half of the image Ha(x) or Hi(x) for the hash function, H. 
This certainly holds for any cryptographic hash II, which is hard to invert even when 
both halves of the im^ are known. In addition, it must be hard to compute Ho(x) even 
when Hi(x) is known, and vice versa. In principle, it may be easier to complete a missing 
half-key when the other half [& known, even if the function H is hard to invert. If this is 
the case, then a pirate who knows the program key, Kp for a node u may be able to 
compute the key to a sibling node, v, and then to all the programs in the subtree of node 

V. 

One advantage of the tree scheme in accordance with the present invention is that 
it makes merging pirated entitlements inefficient. Consider a pair of sibling programs, pi 
and P2, and their parent node, u. Suppose that the pirate knows the program key, Kp, 
corresponding to both programs, pi and p2, which are the two halves of H(Kp(u)}. The 
pirate still cannot invert II and compute K,^u] smce II is a cryptographic hash function, 
fhus, the merged pirated entitlements would have to contain both Kp(pt) and Kp(p2), 
rather than more compact Kp{u]. Thus, breaking into multiple set-top terminals 400 with 
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cheap (but diiTerent) entitlements is not a good strategy for the pirate, sines the 
combined entitlement will be v^ large. 

As previously indicated, suitable pseudo-random hash functions are discussed^ for 
example, in O. Goldrdch ct al., "How to Construct Random Functions," J. ACM, 
3 3 ; 792-807 ( 1986), incorporated by reference above, 

It is to be understood that the embodiments and variations shown and described 
herein are merely IHustiative of the pnnciptes of this invention and that various 
modifications may be implemented by those skilled in the art without departing from the 
scope and spirit of the invention. 

4 . Bj i e f Description of Drawings 
Wr i t tett above. 
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(46) S2 001-36517 (P2001-36517A) 



A system for restricting access to transmitted programming content is 
disclosed, which transmits a program identifier with the encrypted programming content. 
A set<-top terminal or similar mechaniBm restricts access to the transited multimedia 
information using stored decryption keys. The set-top terminal receives enlitiement 
information periodically firom the head-end, corresponding to one or more packages of 
programs that the customer is entitled to for a given period. Each program is encrypted 
by the head-end server prior to transmission, using a program key, Kp, which may be 
unique to the program. The sct-top terminal uses the received program identifier, p, 
together with the stored entitlement information, to derive the decryption key necessary 
to decrypt the program. Each of the A-bit program keys, Kp, used to encrypt transmitted 
programs is obtained by applying one or more pseudo-random hash functions, il, such as 
a lengtb-doubhng hash function, H, to a master key, m. The ilhistrattve hash function, H, 
takes a kAni binafy vahie and produces a binary value having a length of 2^, with IIo 
being the left half of the output of the hash function, and Hi being the right half of the 
output of the hash function. A program key, Kp, is obtained by recursively applying a 
hash function. Ho or Hi, to the master key, m, depending on the corresponding binary 
value of each bit position of the program identifier, p. The hash operation is represented 
in terms of an /i-level binaiy tree, T, referred to as the key tree, with the master key, m. 
placed at the root of the tree. The tree is generated by applying the hash functions Hg 
and Hi to each node, until the desired number of tree levels (n) have been created. The 
program keys, Kp, correspond to the leaf nodes at the bottom level of the tree. The 
program identifier, p, associated with each program key, Kp, corresponds to the path 
through the key tree firom the root to the desired leaf node. 
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(57)Abstract: 

PROBLEM TO BE SOLVED: To provide a system to limit access to 
contents of transmission program such as television program. 
SOLUTION: A transmitter or a head end server is used by a service 
provider to transmit encrypted programming contents to one or a 
plurality of customers. A program identifier (p) used to identify a 
program is transmitted to the customers together v^ith programming 
contents. Each customer uses a set-top terminal or an interpretation 
key to provide a limited access to transmission multimedia 
information as other device. The set- top terminal 400 or the like 
receives entitlement information corresponding to a package of one or 
a plurality of programs that can normally be received for a period 
from a head end. 
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CLAIMS 



[Claim(s)] 

[Claim 1] The step which assigns the program identifier which is the approach of transmitting the program 
which can carry out access restriction to an end user, and has (A) binary value to said program, (B) The step 
which enciphers said program by using the step which defines at least one master key, and the program key 
obtained by applying at least one Hash Fimction to said master key based on the binary value of the (C) 
aforementioned program identifier, (D) Approach characterized by having the step which sends said 
enciphered program to said end user with said program identifier. 

[Claim 2] Said program identifier is an approach according to claim 1 characterized by applying one of said 
the Hash Functions to each location of n bits of said program identifier according to the bit value to which it 
becomes from n bits and said program identifier corresponds. 

(Claim 3] (E) The approach according to claim 1 characterized by having further the step which provides 
said end user with entitlement information based on the set of the program acquired by said end user. 
[Claim 4] The approach according to claim 3 characterized by including some key trees based on the set of 
the program acquired by said end user in said entitlement information. 

[Claim 5] Said end user is an approach according to claim 3 characterized by using said program identifier 
in order to obtain said program key from said memorized entitiement ir\formation. 
[Claim 6] Said program identifier is an approach according to claim 1 characterized by interleaving with 
transmission of said encryption program. 

[Claim 7] Said program identifier is an approach according to claim 1 characterized by being transmitted on 
a control channel. 

[Claim 8] The approach characterized by to have the step enciphered using the program key which is the 
approach of transmitting a program to two or more end users, and was obtained by applying a Hash 
Function to the master key based on the binary value of each bit position of said program identifier for the 
program which has (A) program identifier recurrently, and the step which transmits the program which 
carried out (B) encryption, and said program identifier to said end user. 

[Claim 9] Said program identifier is an approach according to claim 8 characterized by applying said Hash 
Function to each location of n bits of said program identifier according to the bit value to which it becomes 
from n bits and said program identifier corresponds. 

[Claim 10] (C) The approach according to claim 8 characterized by having further the step which provides 
said end user with entitlement information based on the set of the program acquired by said end user. 
[Claim 11] The approach according to claim 10 characterized by including some key trees based on the set of 
the program acquired by said end user in said entitlement iiiformation. 

[Claim 12] Said end user is an approach according to clairn 10 characterized by using said program identifier 
in order to obtain said program key from said memorized entitlement irtformation. 
[Claim 13] Said program identifier is an approach according to claim 8 characterized by interleaving with 
transmission of said encryption program. 



[Claim 14] Said program identifier is an approach according to claim 8 characterized by being transmitted 
on a control channel. 

[Claim 15] It is the approach of transmitting the program corresponding to at least one program package to 
two or more end users. (A) The step which provides said end user with entitlement information based on 
the set of the program acquired by said end user, (B) The step enciphered using the program key obtained 
by applying a Hash Function to the master key based on the binary value of each bit position of said 
program identifier for the program which has a program identifier recurrently, (C) Have further the step 
which transmits said program identifier to said end user with the enciphered program, and if said end user 
is a just user of said program Said end user is an approach characterized by obtaining said program key 
from the memorized entitlement information. 

[Claim 16] Said program identifier is an approach according to claim 15 characterized by applying one of 
said the Hash Functions to each location of n bits of said program identifier according to the bit value to 
which it becomes from n bits and said program identifier corresponds. 

[Claim 17] The approach according to claim 15 characterized by including some key trees based on the set of 
the program acquired by said end user in said entitlement information. 

[Claim 18] Said end user is an approach according to claim 15 characterized by using said program identifier 
in order to obtain said program key from said memorized entitlement information. 

[Claim 19] Said program identifier is an approach according to claim 15 characterized by interleaving with 
transmission of said encryption program. 

[Claim 20] Said program identifier is an approach according to claim 15 characterized by being transmitted 
on a control channel. 

[Claim 21] The step which receives the entitlement information which is the approach of decoding the 
enciphered program and contains at least one middle key from a key tree based on the set of the program 
which said customer acquired from the provider of the (A) aforementioned program, (B) The encryption 
program enciphered by the program key, and the step which receives a program identifier, (C) Approach 
characterized by having the step which obtains said program key from the part said program identifier and 
said key tree were remembered to be, and the step which decodes said encryption program using the (D) 
aforementioned program key. 

[Claim 22] It is the approach according to claim 21 which said program identifier consists of n bits, and said 
master key is arranged on the root of said key tree, and is characterized by generating said key tree when 
said key tree applies a Hash Function to each node until the tree level of n is made. 
[Claim 23] It is the approach of decoding the enciphered program. From the provider of the (A) 
aforementioned program The step which receives the entitlement information which contains at least one 
middle key from the key tree based on the set of the program which a customer acquires, (B) The encryption 
program enciphered by the program key, and the step which receives a program identifier, (C) The step 
which obtains said program key from the part the key tree was remembered to be from said program 
identifier and said middle key by applying a Hash Function to said middle key recurrently based on the 
binary value of said program identifier, (D) Approach characterized by having the step which decodes said 
encryption program using said program key. 

[Claim 24] It is the approach according to claim 23 which said program identifier consists of n bits, and said 
middle key corresponds to the intermediate node in the level r of said key tree, and is characterized by 
carrying out n-r time application of said Hash Function at said middle key. 

[Claim 25] The memory which is the system which transmits the program which restricts access to an end 
user, and memorizes the (A) master key and a computer readout possible code, (B) It has the processor 
connected with said memory in actuation. This processor (a) The program identifier which has a binary 
value is assigned to said program, (b) Define at least one master key and said program is enciphered using a 
program key by applying at least one Hash Function to said master key based on the binary value of the (c) 



aforementioned program identifier, (d) System characterized by constituting so that an encryption program 
may be transmitted to said end user with said program identifier. 

[Claim 26] The memory which is the system which transmits the program to which access to an end user 
was restricted, and memorizes the (A) master key and the code which can be computer read, (B) It has the 
processor connected with said memory on actuation. Said processor (a) The program key obtained by 
applying a Hash Function to a master key recurrently based on the binary value of each bit position of said 
program identifier is used. The system characterized by constituting so that this program that enciphered 
this program that has a program identifier and was enciphered by the (b) aforementioned end user, and said 
program identifier may be transmitted. 

[Claim 27] The memory which is the system which decodes the enciphered program and memorizes the (A) 
master key and the code which can be computer read, (B) It has the processor connected with said memory 
on actuation. Said processor (a) The entitlement information containing the part of the key tree based on the . 
set of the program acquired by said customer is received from the provider of this program, (b) The 
encryption program enciphered by the program key and a program identifier are received, (c) System 
characterized by obtaining said program key from said part said program identifier and said key tree were 
remembered to be, and constituting so that said encryption program may be decoded using the (d) 
aforementioned program key, 

[Claim 28] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read. This means that can be computer read assigns the program identifier which has (a) 
binary value at the time of actuation to a program, (b) Define at least one master key and the program key 
obtained by applying at least one Hash Function to said master key based on the binary value of the (c) 
aforementioned program identifier is used. The medium which is characterized by transmitting this 
program that enciphered this program and was enciphered with the (d) aforementioned program identifier 
to an end user and which can be computer read. 

[Claim 29] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read. This means that can be computer read receives the entitlement information 
containing the part of the key tree based on the set of the program acquired by the (a) aforementioned 
customer at the time of actuation from the provider of this program, (b) The encryption program enciphered 
by the program key and a program identifier are received, (c) Medium which is characterized by obtaining 
said program key from said part said program identifier and said key tree were remembered to be, and 
decoding said encryption program using the (d) aforementioned program key and which can be computer 
read. 
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DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] This invention relates to the system which transmits the program decoded with the 
memorized entitlement information using the program identifier used by the set top terminal, in order to 
obtain a decode key required to decode a program especially about the system which restricts access to the 
contents of transmitting programming. 
[0002] 

[Description of the Prior Art] It is still more important that a service provider like a cable television operator 
or a digital satellite service operator offers the package of the channel to which a majority of a television 
viewer's population is satisfied, or a program as the number of channels with an available television viewer 
increases and the range of the available contents of programming increases in number by such channel. 
Generally development of the package with which a customer is provided is a marketing function, A service 
provider is wanted to offer the package of various sizes generally. For example, they are all programs, the 
combination between them, etc. from one program. 

[0003] A service provider usually broadcasts a television program from the transmitter called a "head end" 
to many customers. Each customer is usually concerned with a part of programming to receive. For 
example, in a broadcast environment, any man can receive programming transmitted with a suitable 
receiver like an antenna or a satellite disk. In order to restrict access of a program only to the normal 
customer who purchased the package, a service provider usually enciphers a transmitting program and 
contains 1 or two or more code machines in a customer. A set top terminal (STT) is offered. By such 
approach, a set top terminal receives encryption transmission and the program which a customer looks at is 
enciphered. Nothing is carried out but this. 

[0004] In order that the confidentiality memorized in the set top terminal may make piracy of high 
information min, a set top terminal is usually equipped with a secure processor or secure memory. This 
secure memory has the capacity of several kilobits order, and memorizes a code key. Generally secure 
memory is not volatility but tamper REJISUTANTO. Moreover, secure memory has that it can write [ much 
] in and can carry out the repro gram of the key for every accounting period. Since the secure memory 
capacity of the conventional set top terminal is restricted, the number of the keys memorized will be 
restricted and the number of the packages which a service provider offers will also be restricted. The 
number of the programs which a service provider broadcasts to the accounting period of a moon unit may 
usually be the order of 200,000. 

[0005] The conventional set top terminal has a thing containing bit VEKUTORU which has a bit entry 
corresponding to each package of the program which a service provider offers. If a specific customer is the 
normal addressee of a package, the bit entry in the bit vector memorized in a set top terminal will be set to 
"1." After that, all the programs that a service provider transmits are enciphered by one key. If a program is 
received, a set top terminal will judge whether the bit entry which accesses and corresponds to a bit vector is 
set. If the bit entry is set, as for a set top terminal, a program will be decoded using one memorized code 



machine. 

[0006] Although it seems to a theory top that flexibility is attained by the bit vector method by offering one 
bit entry to each package (a package consisting of one program generally), the die length of a bit vector is 
not practical in the system which transmits many programs to one accounting period. Moreover, the access 
control in such a system is exclusively given by the entry in a bit vector, and is not code-like (cryptographic). 
Therefore, if a customer can write in a bit vector and can set all bits to "1", a customer will be able to access 
all programs, 

[0007] Moreover, a program is divided into each package and there are some as which all the programs in a 
package are enciphered using the same key. Each package corresponds to one television charmel. A set top • 
terminal memorizes the decode key to each package the customer of whose is a normal addressee. 
Therefore, if a program is included in two or more packages, that program must be broadcast again for 
corresponding each package of every, and will be enciphered in this the transmission of each by the code 
key corresponding to a specific package. Although it is cryptography-like [ an access control ], by the 
overhead about broadcasting programming again repeatedly, it will not be realistic, and will carry out 
arranging the same program as much packages, and flexibility will be restricted in the design of the package 
of a program. 

[0008] although the conventional system which encipher such contents of a program and be transmit be 
comparatively successful about restrict access only to a normal customer , it have not make it possible to 
provide a customer with the package with which a large number which include much programs , without 
make an overhead increase fairly differ , without a service provider like a television network exceed the 
secure memory capacity to which the set top terminal be restricted . The cryptography-approach arid 
equipment which restrict access to the contents of transmitting programming to the "Vspace system" 
indicated by the United States patent applications 08/912186 (August 15, 1997 application) are indicated. 
[0009] Each program in a Vspace system is enciphered by the head end server before transmission using the 
program key kP. Each program key is the linearity combination of the set with which the master key M was 
defined. The program identifier which identifies a program is transmitted with the contents of encryption 
programming. A customer's set top terminal can obtain a decode key only from the entitlement information 
recorded on the program identifier p which received, and the front. A Vspace system offers a 
cryptography-access-control mechanism, enabling the package which is supple, without extending a 
program header fairly (only a program identifier being transmitted with a program). It is because it is not 
necessary to broadcast a program again for corresponding each package of every. 
[0010] 

[Means for Solving the Problem] Generally, the contents of programming enciphered by 1 or two or more 
customers by the service provider using the transmitter thru/or the head end server are transmitted. The 
program identifier p used for identifying a program is transmitted to a customer with the contents of 
programming. Each customer has other devices in which access restricted to transmitting multimedia 
information using the set top terminal thru/or the decode key is given. A set top terminal receives 1 which 
can receive to normal at a period with a customer, or the entitlement information corresponding to the 
package of two or more programs from a head end. 

[0011] Each program is enciphered by the head end server before transmission using the program key kp. 
the program key kp of an individual — the program - unique - making . In addition to transmission of the 
enciphered program, a head end server transmits the program identifier p to a set top terminal. A set top 
terminal obtains a decode key required to decode a program using the program identifier p which received 
with the memorized entitlement information. In this approach, if a customer is the normal user of a specific 
program, a set top terminal can obtain the program key kp enciphered using the information memorized 
and received, and can decode the program enciphered using that program key kp after that. In an example, 
the program identifier p can be interleaved to a part of program, and can be transmitted on a separate 



exclusive control channel. 

[0012] Each of k-bit program key kp used for encijphering a transmitting program can be obtained by 
applying 1 or two or more pseudo-random Hash Functions to a master key m. As an example. Hash 
Function H which doubles die length can be used. Therefore, Hash Function H takes a k bit binary value, 
and makes the binary value of the die length of 2k. The output of Hash Function H can be expressed as pair 
HO of k-bit binary value as HI. Here, HO can be identified as a left half of the output of the Hash Function 
concerned, and HI can be identified as a right half of the output of the Hash Function concerned. 
[0013] As an example, the program key kp can be obtained according to the binary value to which each bit 
position of the program identifier p corresponds by applying recurrently Hash Functions HO or HI to a 
master key. Therefore, if the program identifier p consists of m bits, one side of Hash Functions HO or HI 
will be applied to each bit position of n of the program identifier p according to the bit value to which the 
program identifier p corresponds. First, one side of Hash Functions HO or HI is applied to a master key 
according to the binary value which is the leftmost digit bit of the program identifier p. After that, according 
to the binary value of a corresponding bit, one side of Hash Functions HO or HI is applied to the result of a 
pre- hash operation to each remaining bit position (n-1). Count of the program key kp can be expressed as 
follows. 
[Equation 1] 

[0014] Such a hash operation can be expressed in relation to n level binary tree T (called a key tree) by which 
the root 2 master key m of a tree is arranged. A tree is generable by applying Hash Functions HO and HI to 
each node until a desired number of tree-level (n) is made. The program key kp corresponds to the leaf (leaf) 
node in the bottom (bottom) level of a tree. The binary index (the same the program identifier [ And ] p) 
corresponding to each program key kp corresponds to the pass (way) which passes along the key tree from 
the root to a desired leaf node. Therefore, the index thru/or label of Node u is connection of the label on H 
on the pass from the root to Node u. T (u) can calculate any key of the program in subtree T (u) by carrying 
out time (n-r) actuation of the Hash Function to the internal node u (ul, ur) in depth r in the subtree 
which makes Node u the root, i.e., the key tree which has the partial program identifier p showing the set of 
the program identifier p corresponding to the leaf in the subtree of Node u. 
[0015] 

[Embodiment of the Invention] Drawing 1 has shown the network environment which transmits video, an 
audio, and encryption multimedia information like data to 1 or two or more customers who have the set top 
terminals 400-401 through 1 or two or more distribution networks 110 using a transmitter like the head end 
server 300 from a service provider. This head end server 300 argues in relation to drawing 3 in the bottom, 
and argues about the set top terminal 400 in relation to drawing 4 in the bottom. In this specification, a set 
top terminal includes any device in which access restriction is given to the multimedia information 
transmitted using the decode key. For example, a computer configuration and a communication link device 
are included. A service provider may download the software which a set top terminal performs. A network 
110 can be made into the wireless broadcasting network which distributes contents of programming like 
digital satellite service (DSSTM), a cable television network (CATV), a public switching network (PSTN), an 
optical network, ISDN, and a cable network like the Internet. 

[0016] The set top terminal 400 receives entitlement information intermittently from the head end server 300, 
and enables a customer to access the program whose customer is a registered user between a certain time 
intervals (for example, accounting period). In this specification, a package is the set of a predetermined 
program and a certain program can belong to 1 or two or more packages. A program means all of . 
continuous multimedia transmission of the episode of television, or specific die length like a movie. 
Entitlement information is downloadable in the set top terminal 400 from the head end server 300 using 



which suitable secure one way or bidirectional protocol. 

[0017] Program key and program identifier each transmitting program is enciphered by the head end server 
300 using the program key kp. This program key kp can be made unique to a program. Suitable encryption 
and a security technique are indicated by reference, B.Schneier, and Applied Cryptography (2d ed,1997). In 
addition to transmission of an encryption program, the head end server 300 also transmits a n bit program 
identifier to the set top terminal 400. This is used by the set top terminal 400 with the memorized entitled 
information, and as shown in a detail, it obtains a decode key reqmred to decode a program in the bottom. 
[0018] The program identifier p is not chosen as arbitration so that the item of the bottom entitled 
assignment of the program identifier to a program may explain. In a desirable example, the program 
identifier p can consist of the 32-bit value transmitted in the ECM field specified to MPEG-2 criterion. In this 
case, if it is the registered user of the program of specification [ a customer ], the set top terminal 400 can 
obtain the program key kp from the information memorized and received, and it can use the program key 
kp so that an encryption program may be decoded after that, 

[0019] According to the further description of this invention, each of the k-bit program key kp used for an 
encryption transmitting program can be obtained by applying 1 or two or more pseudo-random Hash 
Functions to a master key m. Explanation of a suitable pseudo-random Hash Function is indicated by 
reference and O.GoIdreich et al. and "How to Constmct Random Functions" J.ACM and 33:792-807 (1986). 
[0020] As an example, it is secure in cryptography, and the Hash Function which doubles die length is used 
as follows. 

H: (0, 1} k->{0, l}2k ~ here, k is the die length of the program key kp. Therefore, Hash Function H takes the 
binary value of k bits, and makes the binary value of die-length 2k. The output of this Hash Function H can 
be expressed as pair HO of a k bit binary value as HI. Here, HO is the left-hand side one half (left-hand side 
digit bit) of the output of Hash Function H, and is H. {1} is the right-hand side one half (right-hand side digit 
bit) of the output of Hash Function H. HO and HI can be called a separate Hash Function, 
[0021] If it is k= 160, H can be specified using secret hash standard SHA-1 which is indicated by reference. 
Secure Hash Standard, National Institute of Standards and Technology, NIST FIPS PUB 180-1, and 
U.S.Dept.of Commerce (April, 1995). That is, HO is set to SHA-1 (x I 1 0), and HI turns into SHA-1 (x I 1 1). 
Here, 0 and 1 are the bit strings of all the bit strings 1 of 0 altogether, respectively. 

[0022] The program key kp can be obtained by applying recurrentiy 1 or two or more Hash Fimctions to a 
master key m according to the binary value of the program identifier p. As an example, the program key kp 
can be obtained by applying recurrently one side of Hash Functions HO or HI to a master key m according 
to the binary value of each bit position of the program identifier p. Generally, if the program identifier p 
consists of n bits, according to the bit value to which the program identifier p corresponds, one side of Hash 
Functions HO or HI will be applied to each of the bit position of n of the program identifier p (it starts from 
a leftmost bit). 

[0023] One side of Hash Functions HO or HI is first applied to a master key according to the binary value 
which is a leftmost digit bit. After that, according to the binary value which is the bit to which one side of 
Hash Functions HO or HI corresponds, it is applied to the result of pre- hash actuation to each remaining bit 
position (n-1). This hash actuation can be expressed as follows so that the item of a title caUed lower "key 
tree" may explain. 
[Equation 2] 

[0024] As mentioned above, the head end server 300 transmits the program identifier p with an encryption 
program. Therefore, if the program identifier p is given, the set top terminal 400 must obtain the program 
key kp used for decode of a receiving agent. As mentioned above, the program key kp can be obtained by 
applying recurrently 1 or two or more Hash Functions to a master key m according to the binary value of 



the program identifier p. The program key kp must be obtained by a customer's set top terminal 400, using 
indirectly the memorized entitlement information and the program identifier p which received which is 
explained in the bottom. 

[0025] As explained on the key tree, the program key kp can be obtained by using recurrently 1 or two or 
more Hash Functions for a master key m according to the binary value of the program identifier p. The k-bit 
single master key m is used. The bit of the program identifier p can be expressed as p= (pi, pn). Here, pi 
is a leftmost digit bit and is a rightmost digit bit. The cryptographic key kp to the program which has the 
program identifier p can be defined as follows. 
[Equation 3] 

[0026] Hash actuation can be expressed as a perfect n level binary tree T like the key tree 200 shown in 
drawing 2 . The key tree 200 shown in drawing 2 corresponds to the example of mounting which has the 
program identifier p which consists of a triplet. As shown in drawing 2 , a master key m is arranged on the 
root 210 of a tree 200. The program key kp corresponds to a leaf node like leaf nodes 240-247. The index 
corresponding to each program key kp shown in drawing 2 like the index Oil corresponding to the program 
key kp of the DERIFU node 243 shows the pass which lets the key tree 200 from the root 210 to a leaf node 
243 pass. For example, the program key kp of 243 can be obtained by following with the left edge (HO) from 
the root 210, the right edge (HI) from a node 220, and the right edge (HI) from a node 232, That is, HI is 
further applied for HO to the 2nd hash result. The program key kpOll can be obtained. 
[0027] Therefore, the label of a node u like a node 243 is what connected the label on the edge of the pass to 
Node u from the root 210. The label of each node can be specified by the program identifier p. Since the 
subtree which makes Node u the root is expressed, T (u) is used (namely, since the set of the program 
identifier p corresponding to the leaf in the subtree of Node u is expressed). The internal node u in depth r 
in the key tree 200 has the partial program identifier p (ul, ur), and can calculate the key of which 
program in subtree T (u) to these. Any key of the program in the subtree of Node u is calculable by carrying 
out time (n-r) actuation of the Hash Function. Specifically, it uses so that the value of each bit of the low 
digit of (n-r) of the program identifier p may direct suitable Hash Fimctions HO or HI. Therefore, the 
program key kp corresponding to Node u can function as an entitlement to all the programs in the subtree 
of Node u. 

[0028] If Function H is a pseudo-random generator, mapping kp{0, 1} ->[ n] (0, 1} k of the program key 
which the master key m parameterized is a pseudo-random function. This is indicated by reference, and 

0. Goldreich et al. and "How toConstruct Random Functions" J.ACM and 33:792-807 (1986). 

[0029] System component drawing 3 is the block diagram showing the head end server's 300 AKI theque 
char. A head end shall be related with the service provider of the arbitration which transmits a television 
network, a cable employment person, a digital satellite service employment person, or the contents of 
encryption programming, the head end server 300 — for example, IBM - it can mount with RS6000 server 
which Corp(s) and manufactures, and the function and actuation of this invention can be performed. The 
head end server 300 is equipped with related memory like a processor 310 and the data storage device 320. 
A processor 310 may be mounted as a single processor and may be mounted as some processors which 
operate to juxtaposition. The data storage device 320 and ROM are made to memorize 1 or two or more 
instructions, and a processor 310 enables it to perform by taking out and interpreting. 

[0030] As mentioned above, the data storage device 320 is equipped with the master key database 350 which 
memorizes a master key m. For example, a master key m can be updated like [ for every accounting period 

1. Moreover, the data storage device 320 has the program database 500 so that it may explain in relation to 
drawing 5 in the bottom. The program database 500 presents the program identifier p and the related 
package corresponding to each program, moreover, drawing 7 R> — the data storage device 320 has the 



entitlement information delivery process 700 and the program delivery process 800 so that it may explain in 
relation to 7 and 8. 

[0031] Generally, the entitlement information delivery process 700 generates and distributes the entitlement 
information which each customer needs to accessing the program which is a registered user. Moreover, the 
program delivery process 800 obtains the program key kp based on the program identifier p assigned to the 
program, in order to encipher a program and to transmit by the program identifier p. 
[0032] The communication link port 330 links the head end server 300 to each cormected receiver like the set 
top terminal 400 which showed the head end server 300 to the network 110 at a bond and drawing 1 . 
[0033] Drawing 4 is the block diagram showing the AKI theque char of the set top terminal 400. The set top 
terminal 400 can be mounted as a set top terminal (STT) corresponding to television, and it can be changed 
so that the function and actuation of this invention may be performed. The set top terminal 400 is equipped 
with a processor 410 and memory like data storage 420, and the communication link port 430, and operates 
by the same approach as the above hardware relevant to drawing 3 . 

[0034] Data storage 420 is equipped with the entitlement database 600 memorizable into the secure part of 
data storage 420 so that it may explain in relation to drawing 6 in the bottom. The entitlement database 600 
contains the part of the key tree 200 required in order that a customer may get the program key kp to the 
program which has an entitlement. Moreover, data storage 420 is equipped with Hash Functions HO and HI 
(440). Moreover, data storage 420 includes the decoding process 900 so that it may explain in relation to 
drawing 9 in the bottom. Generally, using the program identifier p received in order to obtain the program 
key kp, and the memorized entitlement information 600, in order to decode a program, the program key kp 
is used for the decoding process 900, and it decodes the program whose customer has an entitlement. 
[0035] Drawing 5 shows the program database 500 which memorizes information on each program p 
transmitted by the head end server 300. This information is transmitted to for example, an accoimting 
period with the program identifier p to which that program belongs and which packs and corresponds. The 
program database 500 holds two or more decodings like records 505-520. These are related with a different 
program, respectively. The program database 500 contains the program identifier p which corresponds in 
the field 535 including directions of the corresponding package with which the program belongs in the field 
530 to each program identifier identified by the program name in the field 525. 

[0036] Drawing 6 shows the entitlement database 600 containing the part of the key tree 200 required for a 
customer to get the program key kp to the program which has an entitlement. As mentioned above, T (u) 
expresses the set of the program identifier p corresponding to the leaf nodes 240-247 in the subtree which 
makes Node u the root, i.e., the subtree of Node u. For example, supposing a customer has an entitlement 
about receiving four programs corresponding to leaf nodes 240-243, entitlement information will consist of a 
middle key corresponding to a node 220. In this approach, if needed, suitable Hash Functions HO and HI 
(440) can be used in order to obtain the program key kp to each nodes 230, 232, 240-243 in the subtree of a 
node 220. 

[0037] The entitlement database 600 shown by drawing 6 is a registered user who receives four programs 
corresponding to leaf nodes 240-243 (there is an entitlement), and is a registered user who receives two 
programs corresponding to leaf nodes 246-247. Therefore, the entitlement information recorded on the 
entitlement database 600 consists of a middle key corresponding to a node 220 and a node 236. nodes 220 
and 236 — it is alike, respectively, and it receives, and the entitlement information recorded on the 
entitlement database 600 has the middle key values kio and kill, respectively, and has corresponding 
directions of the partial program identifier p. The approach by which the entitlement database 600 is 
generated by the entitlement information delivery process 700 based on the package of the program which 
the customer chose is explained in relation to drawing 7 in the bottom. 

[0038] A small entitlement is establishable to the set of many programs of various sizes using the tree 
method of program packaging this invention. The target set S is established using the set of the program 



packed. The minimum set of a tree node with which a subtree covers the target set S correctly is obtained as 

follows. 

[Equation 4] 
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[0039] The entitlement information over Package S is the set ki of the middle key held in the node of T (S). 
As shown in a top, the set top terminal 400 decodes the program in S (accepting it) correctly with the set of 
this key. Theoretically, the tree method of this invention can build the entitlement information over the 
target set S of which arbitration, furthermore — however, if the program identifier p is assigned to 
arbitration, entitlement information will become so large that it is not allowed for the secure memory to 
which the set top terminal 400 was restricted. 

[0040] a process - as mentioned above, the head end server 300 performs the entitlement information 
delivery process 700 shown in drawing 7 , and generates and distributes the entitlement database 600 
required for each user in order to access the program which is a registered user. As mentioned above, the 
entitlement database 600 consists of corresponding directions and the corresponding middle key value ki of 
a partial program identifier to each node of the key tree 200 required for a customer to get the program key 
kp to the program which is a registered user. 

[0041] Therefore, the entitlement information delivery process 700 identifies first the program which the 
customer chose (710). After that, the entitlement information delivery process 700 finds minimum set [ of a 
tree node ] T (S). The subtree covers the target set S correctly. The target set S is disassembled to the 
maximum De Dis joint interval of the KONSEKYUTIBU program identifier p (720). Two program identifiers 
p are considered to be KONSEKYUTIBU when the integer over the binary expression is KONSEKYUTIBU. 
[0042] And covering T (S) is found to each interval (730). The corresponding partial program identifier p 
held in the node of covering T (S) to Set ki and each interval of a middle key is generated (740). At the end, 
the generated entitlement information downloads to the set top terminal 400 with the head end server 300 
(750), and program control is completed (760). 

[0043] The number of the intervals in the target set S can be set to I (S). In order to calculate covering T (S) to 
the single interval of the program identifier p to the order of the tree node of n, the key tree 200 of depth n 
must be asked. Therefore, the time amount complexity of the entitlement information delivery process 700 
serves as order of I(S) -n. Similarly, the magnittide of minimum covering T (S) serves as order of I(S) -n. The 
program identifier p which enables the program of related contents to carry out packaging of them 
efficiently should be assigned. In an example, a fundamental package is the gestalt of all the program 
identifiers p that have the bit prefix mu. 

[0044] The entitlement of such a single topic package is a single ke;y in the key tree 200. Moreover, a 
multi-topic package can be assembled without a side effect. Entitlement information is only the set of a key 
to each TOPICS which consists of a multi-TOPICS package. According to this invention, the package 
specified by Prefix mu does not force to the set top terminal 400 so that a program may be decoded using 
zero prefix of the same die length. 

[0045] As mentioned above, the head end server 300 performs the program delivery process 800 shown in 
drawing 8 , and in order to decode a program and to transmit using the program identifier p, he gets the 
program key kp based on the program identifier p assigned to the program and the master key m. The 
program delivery process 800 is important for performing in off-line thm/or the real time except an actual 
transmitting step. As shown in drawing 8 , the program delivery process 800 starts the process using the 
principle of this invention by identifying the program which should be transmitted (810). 
[0046] After that, the program delivery process 800 takes out the program identifier p corresponding to the 
program from the program database 500 (820), and calculates the program key kp corresponding to the 



program (830). And a program is enciphered using the program key kp calculated at the front step (840). 
Finally, the program delivery process 800 transmits the program enciphered with the program identifier p 
(850), and program control ends it (860). 

[0047] It is important to suppose that it is possible to obtain the program key kp required for the program 
identifier p to be interleaved periodically, able to transmit it through transmission of program information, 
and for a customer change a channel at the time of a program, and decode a program. In another example, 
the program identifier p can be continuously transmitted on another control channel like a Barker channel. 
[0048] As mentioned above, the set top terminal 400 performs the decoding process 900 shown in drawing 9 
, using the entitlement information 600 and the received program identifier p memorized in order to obtain 
the program key kp, in order to decode the program, the program key kp is used and a customer decodes 
the program by which the entitlement is carried out. As shown in drawing 9 , the decoding process 900 
starts the process which used the principle of this invention on the occasion of the reception of the customer 
directions made to tune up to a specific channel (910). 

[0049] After that, the set top terminal 400 receives the suitable signal containing the enciphered program 
identifier p which was programmed and transmitted (920). The decoding process 900 takes out the 
entitlement information memorized from the entitlement database 600 (930). It judges whether the 
transmitted program is included (940). When the entry which has the partial-program identifier p which 
agrees in the leftmost digit bit of the receiving-agent identifier p at step 940 is judged not to exist in the 
entitlement database 600, a customer does not have an entitiement to the selected program and program 
control is ended (980). 

[0050] However, if an entry exists in the entitlement database 600 which has the partial-program identifier p 
corresponding to the leftmost digit bit of the received program identifier p, a customer has an entitlement to 
the selected program. Therefore, the program key kp is calculated using the middle key ki taken out from 
the entry of the entitlement database 600 (960). Specifically, the program key kp is calculated by operating 
suitable Hash Functions HO or HI so that each value of the bit of the low (n-r) order of the program 
identifier p may direct as follows. 
[Equation 5] 

K,=HJ...H,JHJK,))...) 

[0051] Finally, the program is decoded using the obtained program key kp (970), and ends program control 
(980). When the received program is not a part of a customer's entitlement here, it is important that there is 
no entitlement information which has the partial identifier p corresponding to the low bit of the program 
identifier p which received with the transmitting program in the entitlement database 600. 
[0052] The decoding process 900 obtains a decode key, or moreover, as mentioned above Before a customer 
judges whether there is any entitlement to a demand channel In order that it can wait for a customer to 
demand a specific channel and the decoding process 900 may obtain the transmitting program identifier p 
instead, all channels are scanned periodically. It is important that the decode key to the storage in data 
storage 420 can be obtained, and a customer's entitlement can be judged beforehand again. 
[0053] a suitable Hash Function - as mentioned above, if Hash Function H is a pseudo-random bit 
generation machine, it can prove that mapping of p->kp is a pseudo-random function. Therefore, a code key 
cannot be predicted if actual Hash Function H is strong in cryptography. Therefore, if a piracy person has 
access only to encryption program broadcasting, it will not be able to break through a code in the 
knowledge about the key generated using the tree method of this invention. Therefore, only one concerns 
only become ensuring that video encryption algorithm can oppose to a well-known plain text attack. 
[0054] Hash Function H should hold two properties. Calculating Input x has that it must be difficult noting 
that the one half HO of an image (x) or HI (x) is given to the 1st to Hash Function H. Though this knows the 
image of both these one half, it is actually materialized also to the cryptography-hash [ which ] H with it 



difficult [ to carry out an inverted arch ]. Moreover, though HI (x) was known, it must be difficult to 
calculate HO (x), and the reverse of a thing is also the same. Even if it is difficult fundamentally to carry out 
the inverted arch of the function H, when the key of one one half is known, it becomes easier to complete 
the key of the remaining one half. If that is right, the piracy person who knows Program kp to Node u can 
calculate the key to the SHIBURINGU (sibling: sibling) node v, and can calculate the key to all the programs 
in the subtree of Node v. 

[0055] As one advantage of the tree method according to this invention, merge of an entitlement carried out 
in piracy may be made in inefficient. Pair pi, p2, and those ********** of a SHIBURINGU program are 
considered. A piracy person assumes that the program key kp corresponding to the programs pi and p2 of 
both which are two one half of H (kp (u)) is known. A piracy person still cannot do the inverted arch of the 
H, and cannot calculate kp (u). It is because H is a cryptography-Hash Function. Therefore, the entitlement 
carried out in the merged piracy must contain both kp (pi) and kp (p2) instead of compact kp (u). therefore, 
it is not a strategy good for a piracy person to divide to two or more set top terminals 400 which use a 
CHIPU (it is " although - it differs) entitlement. It is because a union ****** entitlement becomes very large. 
[0056] As mentioned above, the suitable pseudo-random Hash Function is indicated by reference, and 
O.Goldreich et al. and "How to Construct Random Functions" J.ACM and 33:792-807 (1986). 
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TECHNICAL FIELD 



[Field of the Invention] This invention relates to the system which transmits the program decoded with the 
memorized entitlement information using the program identifier used by the set top terminal, in order to 
obtain a decode key required to decode a program especially about the system which restricts access to the 
contents of transmitting programming. 
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PRIOR ART 



[Description of the Prior Art] It is still more important that a service provider like a cable television operator 
or a digital satellite service operator offers the package of the channel to which a majority of a television 
viewer's population is satisfied, or a program as the number of channels with an available television viewer 
increases and the range of the available contents of programming increases in number by such channel 
Generally development of the package with which a customer is provided is a marketing function. A service 
provider is wanted to offer the package of various sizes generally. For example, they are all programs, the 
combination between them, etc. from one program. 

[0003] A service provider usually broadcasts a television program from the transmitter called a "head end" 
to many customers. Each customer is usually concerned with a part of programming to receive. For 
example, in a broadcast environment, any man can receive programming transmitted with a suitable 
receiver like an antenna or a satellite disk. In order to restrict access of a program only to the normal 
customer who purchased the package, a service provider usually enciphers a transmitting program and 
contains 1 or two or more code machines in a customer. A set top terminal (STT) is offered. By such 
approach, a set top terminal receives encryption transmission and the program which a customer looks at is 
enciphered. Nothing is carried out but this. 

[0004] In order that the confidentiality memorized in the set top terminal may make piracy of high 
information min, a set top terminal is usually equipped with a secure processor or secure memory. This 
secure memory has the capacity of several kilobits order, and memorizes a code key. Generally secure 
memory is not volatility but tamper REJISUTANTO. Moreover, secure memory has that it can write [ much 
] in and can carry out the repro gram of the key for every accounting period. Since the secure memory 
capacity of the conventional set top terminal is restricted, the number of the keys memorized will be 
restricted and the number of the packages which a service provider offers will also be restricted. The 
number of the programs which a service provider broadcasts to the accounting period of a moon unit may 
usually be the order of 200,000. 

[0005] The conventional set top terminal has a thing containing bit VEKUTORU whigh has a bit entry 
corresponding to each package of the program which a service provider offers. If a specific customer is the 
normal addressee of a package, the bit entry in the bit vector memorized in a set top terminal will be set to 
"1." After that, all the programs that a service provider transmits are enciphered by one key. If a program is 
received, a set top terminal will judge whether the bit entry which accesses and corresponds to a bit vector is 
set. If the bit entry is set, as for a set top terminal, a program will be decoded using one memorized code 
machine. 

[0006] Although it seems to a theory top that flexibility is attained by the bit vector method by offering one 
bit entry to each package (a package consisting of one program generally), the die length of a bit vector is 
not practical in the system which transmits many programs to one accounting period. Moreover, the access 
control in such a system is exclusively given by the entry in a bit vector, and is not code-like (cryptographic). 
Therefore, if a customer can write in a bit vector and can set all bits to "1", a customer will be able to access 
all programs. 



[0007] Moreover, a program is divided into each package and there are some as which all the programs in a 
package are enciphered using the same key. Each package corresponds to one television channel. A set top 
terminal memorizes the decode key to each package the customer of whose is a normal addressee. 
Therefore, if a program is included in two or more packages, that program must be broadcast again for 
corresponding each package of every, and will be enciphered in this the transmission of each by the code 
key corresponding to a specific package. Although it is cryptography-like [ ai\ access control ], by the 
overhead about broadcasting programming again repeatedly, it will not be realistic, and will carry out 
arranging the same program as much packages, and flexibility will be restricted in the design of the package 
of a program. 

[0008] although the conventional system which encipher such contents of a program and be transmit be 
comparatively successful about restrict access only to a normal customer , it have not make it possible to 
provide a customer with the package with which a large number which include much programs , without 
make an overhead increase fairly differ , without a service provider like a television network exceed the 
secure memory capacity to which the set top terminal be restricted . The cryptography-approach and 
equipment which restrict access to the contents of transmitting programming to the "Vspace system" 
indicated by the United States patent applications 08/912186 (August 15, 1997 application) are indicated. 
[0009] Each program in a Vspace system is enciphered by the head end server before transmission using the 
program key kP. Each program key is the linearity combination of tiie set with which the master key M was 
defined. The program identifier which identifies a program is transmitted with the contents of encryption 
programming. A customer's set top terminal can obtain a decode key only from the entitlement information 
recorded on the program identifier p which received, and the front. A Vspace system offers a 
cryptography-access-control mechanism, enabling the package which is supple, without extending a 
program header fairly (only a program identifier being transmitted with a program). It is because it is not 
necessary to broadcast a program again for corresponding each package of every. 
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MEANS 



[Means for Solving the Problem] Generally, the contents of programming enciphered by 1 or two or more 
customers by the service provider using the transmitter thru/or the head end server are transmitted. The 
program identifier p used for identifying a program is transmitted to a customer with the contents of 
programming. Each customer has other devices in which access restricted to transmitting multimedia 
information using the set top terminal thru/or the decode key is given. A set top terminal receives 1 which 
can receive to normal at a period with a customer, or the entitlement information corresponding to the 
package of two or more programs from a head end. 

[0011] Each program is enciphered by the head end server before transmission using the program key kp. 
the program key kp of an individual — the program - unique - making . In addition to transmission of the 
enciphered program, a head end server transmits the program identifier p to a set top terminal. A set top 
terminal obtains a decode key required to decode a program using the program identifier p which received 
with the memorized entitlement information. In this approach, if a customer is the normal user of a specific 
program, a set top terminal can obtain the program key kp enciphered using the information memorized 
and received, and can decode the program enciphered using that program key kp after that. In an example, 
the program identifier p can be interleaved to a part of program, and can be transmitted on a separate 
exclusive control channel. 

[0012] Each of k-bit program key kp used for enciphering a transmitting program can be obtained by 
applying 1 or two or more pseudo-random Hash Functions to a master key m. As an example. Hash 
Function H which doubles die length can be used. Therefore, Hash Function H takes a k bit binary value, 
and makes the binary value of the die length of 2k. The output of Hash Function H can be expressed as pair 
HO of k-bit binary value as HI. Here, HO can be identified as a left half of the output of the Hash Function 
concerned, and HI can be identified as a right half of the output of the Hash Function concerned. 
[0013] As an example, the program key kp can be obtained according to the binary value to which each bit 
position of the program identifier p corresponds by applying recurrently Hash Functions HO or HI to a 
master key. Therefore, if the program identifier p consists of m bits, one side of Hash Functions HO or HI 
will be applied to each bit position of n of the program identifier p according to the bit value to which the 
program identifier p corresponds. First, one side of Hash Functions HO or HI is applied to a master key 
according to the binary value which is the leftmost digit bit of the program identifier p. After that, according 
to the binary value of a corresponding bit, one side of Hash Functions HO or HI is applied to the result of a 
pre- hash operation to each remaining bit position (n-l). Count of the program key kp can be expressed as 
follows, 
[Equation 1] 

[0014] Such a hash operation can be expressed in relation to h level binary tree T (called a key tree) by which 
the root 2 master key m of a tree is arranged. A tree is generable by applying Hash Functions HO and HI to 



each node until a desired number of tree-level (n) is made. The program key kp corresponds to the leaf (leaf) 
node in the bottom (bottom) level of a tree. The binary index (the same the program identifier [ And ] p) 
corresponding to each program key kp corresponds to the pass (way) which passes along the key tree from 
the root to a desired leaf node. Therefore, the index thru/or label of Node u is connection of the label on H 
on the pass from the root to Node u. T (u) can calculate any key of the program in subtree T (u) by carrying 
out time (n-r) actuation of the Hash Function to the internal node u (ul, ur) in depth r in the subtree 
which makes Node u the root, i.e., the key tree which has the partial program identifier p showing the set of 
the program identifier p corresponding to the leaf in the subtree of Node u. 
[0015] 

[Embodiment of the Invention] Drawing 1 has shown the network environment which transmits video, an 
audio, and encr)^tion multimedia information like data to 1 or two or more customers who have the set top 
terminals 400-401 through 1 or two or more distribution networks 110 using a transmitter like the head end 
server 300 from a service provider. This head end server 300 argues in relation to drawing 3 in the bottom, 
and argues about the set top terminal 400 in relation to drawing 4 in the bottom. In this specification, a set 
top terminal includes any device in which access restriction is given to the multimedia information 
transmitted using the decode key. For example, a computer configuration and a communication link device 
are included. A service provider may download the software which a set top terrninai performs. A network 
110 can be made into the wireless broadcastiiig network which distributes contents of programming like 
digital satellite service (DSSTM), a cable television network (CATV), a public switching network (PSTN), an 
optical network, ISDN, and a cable network like the Internet. 

[0016] The set top terminal 400 receives entitlement information intermittently from the head end server 300, 
and enables a customer to access the program whose customer is a registered user between a certain time 
intervals (for example, accounting period). In this specification, a package is the set of a predetermined 
program and a certain program can belong to 1 or two or more packages. A program means all of 
continuous multimedia transmission of the episode of television, or specific die length like a movie. 
Entitlement information is downloadable in the set top terminal 400 from the head end server 300 using 
which suitable secure one way or bidirectional protocol. 

[0017] Program key and program identifier each transmitting program is enciphered by the head end server 
300 using the program key kp. This program key kp can be made unique to a program. Suitable encryption 
and a security technique are indicated by reference, B.Schneier, and Applied Cryptography (2d ed.l997). In 
addition to transmission of an encryption program, the head end server 300 also transmits a n bit program 
identifier to the set top terminal 400. This is used by the set top terminal 400 with the memorized entitled 
information, and as shown in a detail, it obtains a decode key required to decode a program in the bottom. 
[0018] The program identifier p is not chosen as arbitration so that the item of the bottom entitled 
assignment of the program identifier to a program may explain. In a desirable example, the program 
identifier p can consist of the 32-bit value transmitted in the ECM field specified to MPEG-2 criterion. In this 
case, if it is the registered user of the program of specification [ a customer ], the set top terminal 400 can 
obtain the program key kp from the information memorized and received, and it can use the program key 
kp so that an encryption program may be decoded after that. 

[0019] According to the further description of this invention, each of the k-bit program key kp used for an 
encryption transmitting program can be obtained by applying 1 or two or more pseudo-random Hash 
Functions to a master key m. Explanation of a suitable pseudo-random Hash Function is indicated by 
reference and O.Goldreich et al. and "How to Construct Random Functions'' J.ACM and 33:792-807 (1986). 
[0020] As an example, it is secure in cryptography, and the Hash Function which doubles die length is used 
as follows. 

H: {0, 1) k->{0, l}2k - here, k is the die length of the program key kp. Therefore, Hash Function H takes the 
binary value of k bits, and makes the binary value of die-length 2k. The output of this Hash Function H can 



be expressed as pair HO of a k bit binary value as HI. Here, HO is the left-hand side one half (left-hand side 
digit bit) of the output of Hash Function H, and is H. {1} is the right-hand side one half (right-hand side digit 
bit) of the output of Hash Function H. HO and HI can be called a separate Hash Function. 
[0021] If it is k= 160, H can be specified using secret hash standard SHA-1 which is indicated by reference. 
Secure Hash Standard, National Institute of Standards and Technology, NIST FIPS PUB 180-1, and 
U.S.Dept.of Commerce (April, 1995). That is, HO is set to SHA-1 (x I 1 0), and HI turns into SHA-1 (x 1 1 1). 
Here, 0 and 1 are the bit strings of all the bit strings 1 of 0 altogether, respectively. 

[0022] The program key kp can be obtained by applying recurrently 1 or two or more Hash Functions to a 
master key m according to the binary value of the program identifier p. As an example, the program key kp 
can be obtained by applying recurrently one side of Hash Functions HO or HI to a master key m according 
to the binary value of each bit position of the program identifier p. Generally, if the program identifier p 
consists of n bits, according to the bit value to which the program identifier p corresponds, one side of Hash 
Functions HO or HI will be applied to each of the bit position of n of the program identifier p (it starts from 
a leftmost bit). 

[0023] One side of Hash Functions HO or HI is first applied to a master key according to the binary value 
which is a leftmost digit bit. After that, according to the binary value which is the bit to which one side of 
Hash Functions HO or HI corresponds, it is applied to the result of pre- hash actuation to each remaining bit 
position (n-1). This hash actuation can be expressed as follows so that the'item of a title called lower "key 
tree" may explain. 
[Equation 2] 

[0024] As mentioned above, the head end server 300 transmits the program identifier p with an encryption 
program. Therefore, if the program identifier p is given, the set top terminal 400 must obtain the program 
key kp used for decode of a receiving agent. As mentioned above, the program key kp can be obtained by 
applying recurrently 1 or two or more Hash Functions to a master key m according to the binary value of 
the program identifier p. The program key kp must be obtained by a customer's set top terminal 400, using 
indirectly the memorized entitlement information and the program identifier p which received which is 
explained in the bottom. 

[0025] As explained on the key tree, the program key kp can be obtained by using recurrently 1 or two or 
more Hash Ftinctions for a master key m according to the binary value of the program identifier p. The k-bit 
single master key m is used. The bit of the program identifier p can be expressed as p= (pi, pn). Here, pi 
is a leftmost digit bit and is a rightmost digit bit. The cryptographic key kp to the program which has the 
program identifier p can be defined as follows. 
[Equation 3] 

[0026] Hash actuation can be expressed as a perfect n level binary tree T like the key tree 200 shown in 
drawing 2 . The key tree 200 shown in drawing 2 corresponds to the example of mounting which has the 
program identifier p which consists of a triplet. As shown in drawing 2 , a master key m is arranged on the 
root 210 of a tree 200. The program key kp corresponds to a leaf node like leaf nodes 240-247. The index 
corresponding to each program key kp shown in drawing 2 like the index Oil corresponding to the program 
key kp of the DERIFU node 243 shows the pass which lets the key tree 200 from the root 210 to a leaf node 
243 pass. For example, the program key kp of 243 can be obtained by following with the left edge (HO) from 
the root 210, the right edge (HI) from a node 220, and the right edge (HI) from a node 232. That is, HI is 
further applied for HO to the 2nd hash result. The program key kpOll can be obtained. 
[0027] Therefore, the label of a node u like a node 243 is what connected the label on the edge of the pass to 



Node u from the root 210. The label of each node can be specified by the program identifier p. Since the 
subtree which makes Node u the root is expressed, T (u) is used (namely, since the set of the program 
identifier p corresponding to the leaf in the subtree of Node u is expressed). The internal node u in depth r 
in the key tree 200 has the partial program identifier p (ul, ur), and can calculate the key of which 
program in subtree T (u) to these. Any key of the program in the subtree of Node u is calculable by carrying 
out time (n-r) actuation of the Hash Function. Specifically, it uses so that the value of each bit of the low 
digit of (n-r) of the program identifier p may direct suitable Hash Functions HO or HI. Therefore, the 
program key kp corresponding to Node u can function as an entitlenient to all the programs in the subtree 
of Node u. 

[0028] If Function H is a pseudo-random generator, mapping kp{0, 1} ->[ n] {0, 1} k of the program key 
which the master key m parameterized is a pseudo-random function. This is indicated by reference, and 

0. Goldreich et al. and '*How toConstruct Random Functions" J.ACM and 33:792-807 (1986). 

[0029] System component drawing 3 is the block diagram showing the head end server's 300 AKI theque 
char. A head end shall be related with the service provider of the arbitration which transmits a television 
network, a cable employment person, a digital satellite service employment person, or the contents of 
encryption programming, the head end server 300 - for example, IBM - it can moimt with RS6000 server 
which Corp(s) and manufactures, and the function and actuation of this invention can be performed. The 
head end server 300 is equipped with related memory like a processor 310 and the data storage device 320. 
A processor 310 may be mounted as a single processor and may be moimted as some processors which 
operate to juxtaposition. The data storage device 320 and ROM are made to memorize 1 or two or more 
instructions, and a processor 310 enables it to perform by taking out and interpreting. 

[0030] As mentioned above, the data storage device 320 is equipped with the master key database 350 which 
memorizes a master key m. For example, a master key m can be updated like [ for every accounting period 

1. Moreover, the data storage device 320 has the program database 500 so that it may explain in relation to 
drawing 5 in the bottom. The program database 500 presents the program identifier p and the related 
package corresponding to each program, moreover, drawing 7 R> - the data storage device 320 has the 
entitlement information delivery process 700 and the program delivery process 800 so that it may explain in 
relation to 7 and 8. 

[0031] Generally, the entitlement information delivery process 700 generates and distributes the entitlement 
information which each customer needs to accessing the program which is a registered user. Moreover, the 
program delivery process 800 obtains the program key kp based on the program identifier p assigned to the 
program, in order to encipher a program and to transmit by the program identifier p. 

[0032] The communication link port 330 links the head end server 300 to each connected receiver like the set 
top terminal 400 which showed the head end server 300 to the network 110 at a bond and drawing 1 . 
[0033] Drawing 4 is the block diagram showing the AKI theque char of the set top terminal 400. The set top 
terminal 400 can be mounted as a set top terminal (STT) corresponding to television, and it can be changed 
so that the function and actuation of this invention may be performed. The set top terminal 400. is equipped 
with a processor 410 and memory like data storage 420, and the communication link port 430, and operates 
by the same approach as the above hardware relevant to drawing 3 . 

[0034] Data storage 420 is equipped with the entitlement database 600 memorizable into the secure part of 
data storage 420 so that it may explain in relation to drawing 6 in the bottom. The entitlerhent database 600 
contains the part of the key tree 200 required in order that a customer may get the program key kp to the 
program which has an entitlement. Moreover, data storage 420 is equipped with Hash Functions HO and HI 
(440). Moreover, data storage 420 includes the decoding process 900 so that it may explain in relation to 
drawing 9 in the bottom. Generally, using the program identifier p received in order to obtain the program 
key kp, and the memorized entitlement information 600, in order to decode a program, the program key kp 
is used for the decoding process 900, and it decodes the program whose Customer has an entitlement. 



[0035] Drawing 5 shows the program database 500 which memorizes information on each program p 
transmitted by the head end server 300. This information is transmitted to for example, an accoimting 
period with the program identifier p to which that program belongs and which packs and corresponds. The 
program database 500 holds two or more decodings like records 505-520. These are related with a different 
program, respectively. The program database 500 contains the program identifier p which corresponds in 
the field 535 including directions of the corresponding package with which the program belongs in the field 
530 to each program identifier identified by the program name in the field 525. 

[0036] Drawing 6 shows the entitlement database 600 containing the part of the key tree 200 required for a 
customer to get the program key kp to the program which has an entitlement. As mentioned above, T (u) 
expresses the set of the program identifier p corresponding to the leaf nodes 240-247 in the subtree which 
makes Node u the root, i.e., the subtree of Node u. For example, supposing a customer has an entitlement 
about receiving four programs corresponding to leaf nodes 240-243, entitlement information will consist of a 
middle key corresponding to a node 220. In this approach, if needed, suitable Hash Functions HO and HI 
(440) can be used in order to obtain the program key kp to each nodes 230, 232, 240-243 in the subtree of a 
node 220. 

[0037] The entitlement database 600 shown by drawing 6 is a registered user who receives four programs 
corresponding to leaf nodes 240-243 (there is an entitlement), and is a registered user who receives two 
programs corresponding to leaf nodes 246-247. Therefore, the entitlement information recorded on the 
entitlement database 600 consists of a middle key corresponding to a node 220 and a node 236. nodes 220 
and 236 — it is alike, respectively, and it receives, and the entitlement information recorded on the 
entitlement database 600 has the middle key values kio and kill, respectively, and has corresponding 
directions of the partial program identifier p. The approach by which the entitlement database 600 is 
generated by the entitlement information delivery process 700 based on the package of the program which 
the customer chose is explained in relation to drawing 7 in the bottom. 

[0038] A small entitlement is establishable to the set of many programs of various sizes using the tree 
method of program packaging this invention. The target set S is established using the set of the program 
packed. The minimum set of a tree node with which a subtree covers the target set S correctly is obtained as 
follows. 
[Equation 4] 

^ T{S)--Z qT tztzLs [jTiu)=S . |Z| (ift/h 

[0039] The entitlement information over Package S is the set ki of the middle key held in the node of T (S). 
As shown in a top, the set top terminal 400 decodes the program in S (accepting it) correctly with the set of 
this key. Theoretically, the tree method of this invention can build the entitlement information over the 
target set S of which arbitration, furthermore — however, if the program identifier p is assigned to 
arbitration, entitlement information will become so large that it is not allowed for the secure memory to 
which the set top terminal 400 was restricted, 

[0040] a process — as mentioned above, the head end server 300 performs the entitlement information 
delivery process 700 shown in drawing 7 , and generates and distributes the entitlement database 600 
required for each user in order to access the program which is a registered user. As mentioned above, the 
entitlement database 600 consists of corresponding directions and the corresponding middle key value ki of 
a partial program identifier to each node of the key tree 200 required for a customer to get the program key 
kp to the program which is a registered user. 

[0041] Therefore, the entitlement information delivery process 700 identifies first the program which the 
customer chose (710). After that, the entitlement information delivery process 700 finds minimum set [ of a 
tree node ] T (S). The subtree covers the target set S correctly. The target set S is disassembled to the 



maximum De Dis joint interval of the KONSEKYUTIBU program identifier p (720). Two program identifiers 
p are considered to be KONSEKYUTIBU when the integer over the binary expression is KONSEKYUTIBU. 
[0042] And covering T (S) is found to each interval (730). The corresponding partial program identifier p 
held in the node of covering T (S) to Set ki and each interval of a middle key is generated (740). At the end, 
the generated entitlement information downloads to the set top terminal 400 with the head end server 300 
(750), and program control is completed (760). 

[0043] The number of the intervals in the target set S can be set to I (S). In order to calculate covering T (S) to 
the single interval of the program identifier p to the order of the tree node of n, the key tree 200 of depth n 
must be asked. Therefore, the time amount complexity of the entitlement information delivery process 700 
serves as order of I(S) -n. Similarly, the magnitude of minimum covering T (S) serves as order of I(S) -n. The 
program identifier p which enables the program of related contents to carry out packaging of them 
efficiently should be assigned. In an example, a fundamental package is the gestalt of all the program 
identifiers p that have the bit prefix mu. 

[0044] The entitlement of such a single topic package is a single key in the key tree 200. Moreover, a 
multi-topic package can be assembled without a side effect. Entitlement information is only the set of a key 
to each TOPICS which consists of a multi-TOPICS package. According to this invention, the package 
specified by Prefix mu does not force to the set top terminal 400 so that a program may be decoded using 
zero prefix of the same die length. 

[0045] As mentioned above, the head end server 300 performs the program delivery process 800 shown in 
drawing 8 , and in order to decode a program and to transmit using the program identifier p, he gets the 
program key kp based on the program identifier p assigned to the program and the master key m. The 
program delivery process 800 is irr\portant for performing in off-line thru/or the real time except an actual 
transmitting step. As shown in drawing 8 , the program delivery process 800 starts the process using the 
principle of this invention by identifying the program which should be transmitted (810). 
[0046] After that, the program delivery process 800 takes out the program identifier p corresponding to the 
program from the program database 500 (820), and calculates the program key kp corresponding to the 
program (830). And a program is enciphered using the program key kp calculated at the front step (840). 
Finally, the program delivery process 800 transmits the program enciphered with the program identifier p 
(850), and program control ends it (860). 

[0047] It is important to suppose that it is possible to obtain the program key kp required for the program 
identifier p to be interleaved periodically, able to transmit it through transmission of program information, 
and for a customer change a channel at the time of a program, and decode a program. In another example, 
the program identifier p can be continuously transmitted on another control channel like a Barker channel. 
[0048] As mentioned above, the set top terminal 400 performs the decoding process 900 shown in drawing 9 
, using the entitlement information 600 and the received program identifier p memorized in order to obtain 
the program key kp, in order to decode the program, the program key kp is used and a customer decodes 
the program by which the entitlement is carried out. As shown in drawing 9 , the decoding process 900 
starts the process which used the principle of this invention on the occasion of the reception of the customer 
directions made to tune up to a specific channel (910). 

[0049] After that, the set top terminal 400 receives the suitable signal containing the enciphered program 
identifier p which was programmed and transmitted (920), The decoding process 900 takes out the 
entitlement information memorized from the entitlement database 600 (930). It judges whether the 
transmitted program is included (940). When the entry which has the partial-program identifier p which 
agrees in the leftmost digit bit of the receiving-agent identifier p at step 940 is judged not to exist in the 
entitlement database 600, a customer does not have an entitlement to the selected program and program 
control is ended (980). 

[0050] However, if an entry exists in the entitlement database 600 which has the partial-program identifier p 



corresponding to the leftmost digit bit of the received program identifier p, a customer has an entitlement to 
the selected program. Therefore, the program key kp is calculated using the middle key ki taken out from 
the entry of the entitlement database 600 (960). Specifically, the program key kp is calculated by operating 
suitable Hash Functions HO or HI so that each value of the bit of the low (n-r) order of the program 
identifier p may direct as follows. 
[Equations] 

[0051] Finally, the program is decoded using the obtained program key kp (970), and ends program control 
(980). When the received program is not a part of a customer's entitlement here, it is important that there is 
no entitlement information which has the partial identifier p corresponding to the low bit of the program 
identifier p which received with the transmitting program in the entitlement database 600. 
[0052] The decoding process 900 obtains a decode key, or moreover, as mentioned above Before a customer 
judges whether there is any entitlement to a demand channel In order that it can wait for a custorner to 
demand a specific channel and the decoding process 900 may obtain the transmitting program identifier p 
instead, all channels are scanned periodically. It is important that the decode key to the storage in data 
storage 420 can be obtained, and a customer's entitlement can be judged beforehand again. 
[0053] a suitable Hash Function - as mentioned above, if Hash Function H is a pseudo-random bit 
generation machine, it can prove that mapping of p->kp is a pseudo-random function. Therefore, a code key 
cannot be predicted if actual Hash Function H is strong in cryptography. Therefore, if a piracy person has 
access only to encryption program broadcasting, it will not be able to break through a code in the 
knowledge about the key generated using the tree method of this invention. Therefore, only one concerns 
only become ensuring that video encryption algorithm can oppose to a well-known plain text attack. 
[0054] Hash Function H should hold two properties. Calculating Input x has that it must be difficult noting 
that the one half HO of an image (x) or HI (x) is given to the 1st to Hash Function H. Though this knows the 
image of both these one half, it is actually materialized also to the cryptography-hash [ which ] H with it 
difficult [ to carry out an inverted arch ]. Moreover, though HI (x) was known, it must be; difficult to 
calculate HO (x), and the reverse of a thing is also the same. Even if it is difficult fundamentally to carry out 
the inverted arch of the function H, when the key of one one half is known, it becomes easier to complete 
the key of the remaining one half. If that is right, the piracy person who knows Program kp to Node u can 
•calculate the key to the SHIBURINGU (sibling: sibling) node v, and can calculate the key to all the programs 
in the subtree of Node v. 

[0055] As one advantage of the tree method according to this invention, merge of an entitlement carried out 
in piracy may be made in inefficient. Pair pl, p2, and those of a SHIBURINGU program are 

considered. A piracy person assumes that the program key kp corresponding to the programs pl and p2 of 
both which are two one half of H (kp (u)) is known. A piracy person still cannot do the inverted arch of the 
H, and cannot calculate kp (u). It is because H is a cryptography-Hash Function. Therefore, the entitlement 
carried out in the merged piracy must contain both kp (pl) and kp (p2) instead of compact kp (u). therefore, 
it is not a strategy good for a piracy person to divide to two or more set top terminals 400 which use a 
CHIPU (it is — although — it differs) entitlement. It is because a union ****** entitlement becomes very large. 
[0056] As mentioned above, the suitable pseudo-random Hash Function is indicated by reference, and 
O.Goldreich et al. and "How to Construct Random Functions" J.ACM and 33:792-807 (1986). 
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Bottom. 

970 Decode Program Using Program Key Kp. 



[Translation done.] 



* NOTICES * 



JPO and NCIPI are not responsible for any 
damages caused by the use of this translation. 

l.This document has been translated by computer. So the translation may not reflect the original precisely. 
2 **** si^ows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



DESCRIPTION OF DRAWINGS 



[Brief Description of the Drawings] 

[Drawing 1] The block diagram showing the system which transmits the enciphered contents of 
programming according to one example of this invention. 

[Drawing 2] Drawing showing the example of the key tree according to this invention. 
[Drawing 3] The block diagram of the head end server of drawing 1 . 
[Drawing 4] The block diagram of the set top terminal of drawing 1 . 

[Drawing 5] The table from the program database of drawing 3 . 
[Drawing 6] The table from the entitled database of drawing 4 . 

[Drawing 7] The flow chart showing the entitlement information delivery process which the head end server 
of drawing 3 uses. 

[Drawing 8] The block diagram showing the program distribution flow chart which the head end server of 
drawing 3 uses. 

[Drawing 9] The flow chart showing the record process which the set top terminal of drawing 4 uses. 
[Description of Notations] 
110 Distribution Network 
200 Key Tree 

220, 230, 232, 236, 240-243, 246-247 Node 
300 Head End Server 
310 410 Processor 
320 420 Data storage 
350 databases 

330 430 Communication link port 

400-401 Set top terminal 

440 Hash Functions HO and HI 

500 Program Database 

505-520 Decoding 

525, 530, 535 Field 

600 Entitlement Database 

700 Entitlement Information Delivery Process 

710 Identify Program Which Customer Chose. 

720 Decompose to the Maximum De Dis Joint Interval of Target Set KONSEKYUTIBU Program Identifier P. 
730 Find Covering T (S) to Each Interval. 

740 Generate Partial-Program Identifier P to which Middle Key Ki Sets and Corresponds in Node of 
Covering T (S) to Each Interval. 

750 Transmit Entitlement Information to Set Top Terminal. 
760, 860, 980 Termination 
800 Program Delivery Process 



810 Identify Program Which Should be Transmitted. 

820 Take Out Program Identifier P from Program Database. 

830 Calculate Program Key. 

840 Encipher Program Using Program Key. 

850 Transmit Program Enciphered with Program Identifier P. 

900 Decoding Process 

910 Take Out Customer Directions Made to Tune Up to Channel. 

920 Receive Sending Signal Containing Program and Program Identifier P. 

930 Take Out Entitlement Information Memorized from Entitlement Database. 

940 Is There an Entry Which Has Partial-Program Identifier P corresponding to MSB of Receiving- Agent 
Identifier P? 

960 Come Out Picking and Calculate Program Key Kp Using Ki Value and Hash Fimctions HO and HI 
Bottom. 

970 Decode Program Using Program Key Kp. 



[Translation done.] 



* NOTICES* 

JPO and NCIPI are not responsible for any 
damaiges caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect the original precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



DRAWINGS 



[Drawing 1] 





( 










1 


1 













400^ 


(sn) 




(SIT) 




1 




N 



[Drawing 2] 



210 




[Drawing 31 



320 



"T 



m 1 ^350 



[Drawing 4] 



400 

\ 



420 



^440 



[Drawing 5] 

525 



:fQif^A^-^^j. 500 
S30 



53S 











S05^ 








SID*' 








515^ 








S2Q^ 









[Drawing 6] 

x>>*f h/ujiM-7'->K-x 600 













0 


236 




11 



[Drawing 7] 



700 



710-- 



730 



740 



750-^ 



760 

[Drawing 81 



m 



r — 



I 



830 



I 



Kp = Hp^(...Hp2 (Hp|(m))...) 



I 

840 



850 



r 



860 --(^^t) 

[Drawing 9] 



900 



910^ 



I 



930 H ffi«*Hfcx>4i-rhJU»MIHI* 




960-^ 



Kp=Hp„ (-Hp,^,(Hp, (K,))_) 



970' 









mat 



[Translation done.] 



* NOTICES * 



390 and NCIPI are not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect the original precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



CORRECTION OR AMENDMENT 



: [Kind of official gazette] Printing of amendment by the convention of 2 of Article 17 of Patent Law 
■ [Section partition] The 3rd partition of the 7th section 
, [Publication date] November 8, Heisei 14 (2002. 11.8) 

|. [Publication NoO jP,2001-36517,A (P2P01-36517A) 

I [Date.of Publication] February 9, Heisei 13 (2001. 2.9) 

V [Animal volume number] Open patent official report 13-366 

[Application number] Application for patent 2000-135069 (P2000-135069) 

[The 7th edition of International Patent Classification] 

H04L 9/08 
tC09C 1/00 650 
|hi04N 5/44 

feesi 




;H04L 9/00 601 D 

fcogc 1/00 650 Z 

::H04N 5/44 A 
#7/16 C 

f!H04L 9/00 601 E 

:IH04N 7/08 Z 
67/167 Z 



[Procedure revision] 

[Filing Date] August 13, Heisei 14 (2002. 8.13) 
[Procedure amendment 1] 
[Document to be Amended] Specification 
: iltem(s) to be Amended] Claim 
[Method of Amendment] Modification 
[Proposed Amendment] 
[Claim(s)] 

[Claim 1] It is the approach of transmitting the program which can carry out access restriction to an end 
user, 

(A) The step which assigns the program identifier which has a binary value to said program, 

(B) The step which defines at least one master key. 



(C) The step which enciphers said program by using the program key obtained by applying at least one 

Hash Function to said master key based on the binary value of said program identifier, 
: (D) The approach characterized by having the step which sends said enciphered program to said end user 

with said program identifier. 
: [Claim 2] Said program identifier is an approach according to claim 1 characterized by applying one of said 

the Hash Functions to each location of n bits of said program identifier according to the bit value to which it 
^ becomes from n bits and said program identifier corresponds. 

^: [Claim 3] (E) The approach according to claim 1 characterized by having further the step which provides 
■ said end user with entitlement information based on the set of the program acquired by said end user. 
I . [Claim 4] The approach according to claim 3 characterized by including some key trees based on the set of 
i the program acquired by said end user in said entitlement information. 

I [Claim 5] Said end user is an approach according to claim 3 characterized by using said program identifier 
I; in order to obtain said program key from said memorized entitlement information. 
: [Claim 6] Said program identifier is an approach according to claim 1 characterized by interleaving with 
! transmission of said encryption program. 

^Qaim 7] Said program identifier is an approach according to claim 1 characterized by being transmitted on 
I a control channel. 

felClaim 8] It is the approach of transmitting a program to two or more end users, 

[j (A) The step enciphered using the program key obtained by applying a Hash Function to the master key 
I based on the binary value of each bit position of said program identifier for the program which has a 
I program identifier recurrently, 

1(B) The approach characterized by having the step which transmits the enciphered program and said 
program identifier to said end user. 

||^laim 9] It is the approach of transmitting the program corresponding to at least one program package to 
Itwo or more end users, 

pA) The step which provides said end user with entitlement information based on the set of the program 
llaGquired by said end user, 

llP) The step enciphered using the program key obtained by applying a Hash Function to the master key 
pbased on the binary value of each bit position of said program identifier for the program which has a 
I program identifier recurrently, 

| (C) It has further the step which transmits said program identifier to said end user with the enciphered 
Iprogram, 

5* It is the approach characterized by obtaining said program key from the entitlement information said end 
I user was remembered to be when said end user was a just user of said program. 
; [Claim 10] It is the approach of decoding the enciphered program, 

(A) The step which receives the entitlement information which contains at least one middle key from a key 
tree based on the set of the program which said customer acquired from the provider of said program, 

(B) The encryption program enciphered by the program key, and the step which receives a program 
identifier, 

(C) The step which obtains said program key from the part said program identifier and said key tree were 
remembered to be, 

(D) The approach characterized by having the step which decodes said encryption program using said 
program key. 

[Claim 11] Said program identifier consists of n bits. 

It is the approach according to claim 10 which said master key is arranged on the root of said key tree, and is 
characterized by generating said key tree when said key tree applies a Hash Function to each node until the 
tree level of n is made. 



[Claim 12] It is the approach of decoding the enciphered program, 

(A) The step which receives the entitlement information which contains at least one middle key from the key 
tree based on the set of the program which a customer acquires from the provider of said program, 

(B) The encryption program enciphered by the program key, and the step which receives a program 
identifier, 

. (C) The step which obtains said program key from the part the key tree was remembered to be from said 
program identifier and said middle key by applying a Hash Function to said middle key recurrently based 
? on the binary value of said program identifier, 

; (D) The approach characterized by having the step which= decodes said encryption program using said 
program key. 
! [Claim 13] Said program identifier consists of n bits, 

i It is the approach according to claim 12 which said middle key corresponds to the intermediate node in the 
I level r of said key tree, and is characterized by carrying out n-r time application of said Hash Function at 
i said middle key. 

i [Claim 14] It is the system which transmits the program which restricts access to an end user, 

f (A) Memory which memorizes a master key and a computer readout possible code, 

i (B) It has the processor connected with said memory in actuation, and this processor, . 

j (a) Assign the prbgramideniifi 

j (b) Define at least orie .rn^ 

j; (c) Encipher smd prbgram using a program key by applying at least one Ha.sh Function to said master key 
hbased on the binary Value of said program 

r (d) The system characterized by constituting so that an encryption program may be transmitted to $aid end 
! user with said program identifier. 
[Claim 15] It is the system which transmits the program to which access to an end user was restricted, 

(A) Memory which memorizes a master key and the code which can be computer read, 

(B) It has the processor connected with said rnemory on actuation, 
.Said processor, 

(a) Encipher this program that has a program identifier using the program key obtained by applying a Hash 
[ Function to a master key recurrently based on the binary value of each bit position of said program 
: identifier, 

r (b) The system characterized by constituting so that this program eiiciphered by said end user and said 
program identifier may be transmitted. 

[Claim 16] It is the system which decodes the enciphered program, 

(A) Memory which memorizes a master key and the code which can be computer read, 

(B) It has the processor connected with said memory on actuation, and is said processor, 

(a) Receive the entitiement information containing the part of the key tree based on the set of the program 
acquired by said customer from the provider of this program, 

(b) Receive the encryption program enciphered by the program key and a program identifier, 

(c) Obtain said program key from said part said program identifier and said key tree were remembered to 
be, 

(d) The system characterized by coristituting so that said encryption program may be decoded using said 
program key. 

[Claim 17] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read, and this means that can be computer read is at the time of operation, 

(a) Assign the program identifier which has a binary value to a program, 

(b) Define at least one master key, 

(c) Encipher this program using the program key obtained by applying at least one Hash Function to said 



master key based on the binary value of said program identifier, 

(d) The medium which is characterized by transmitting this program enciphered with said program 
identifier to an end user and which can be computer read. 

[Claim 18] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read, and this means that can be computer read is at the time of operation, 
(a) Receive the entitlement information containing the part of the key tree based on the set of the program 
i acquired by said customer from the provider of this program, 

,(b) Receive the encryption program enciphered by the program key and a program identifier, 

(c) Obtain said program key from said part said program identifier and said key tree were remembered to . 
be, 

(d) The medium which is characterized by decoding said encryption program using said program key and 
, which can be computer read. 



-[Translation done J 



